Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7AYsP32Q7Y

Overview

General Information

Sample Name:7AYsP32Q7Y (renamed file extension from none to exe)
Analysis ID:562059
MD5:6ae185ce909f0b66306100824c28bad1
SHA1:5f23a2d4b2c564c95606e537e557aa8251087746
SHA256:074991cefc03a7683cb3c81e83c383010f45c130fdc6dafa13469bfffaf87867
Tags:32exeFormbooktrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 7AYsP32Q7Y.exe (PID: 2940 cmdline: "C:\Users\user\Desktop\7AYsP32Q7Y.exe" MD5: 6AE185CE909F0B66306100824C28BAD1)
    • DpiScaling.exe (PID: 2984 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Iodqgrdelf.exe (PID: 1244 cmdline: "C:\Users\user\Contacts\Iodqgrdelf.exe" MD5: 6AE185CE909F0B66306100824C28BAD1)
          • DpiScaling.exe (PID: 5944 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
        • Iodqgrdelf.exe (PID: 4140 cmdline: "C:\Users\user\Contacts\Iodqgrdelf.exe" MD5: 6AE185CE909F0B66306100824C28BAD1)
          • logagent.exe (PID: 720 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
        • autochk.exe (PID: 4856 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • msiexec.exe (PID: 3912 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
        • cscript.exe (PID: 6684 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fyonkaly.com/ahc8/"], "decoy": ["methodicalservices.com", "lojahelius.com", "dxadxc.com", "keshaunharris.club", "hockeyengolfshop.online", "sherranmanning.com", "instylelimos.net", "plick-click.com", "tntexplode.com", "movement-practice.net", "nftlake.digital", "134171.com", "newhorizonseo.com", "lm-solar.com", "fahrrad-markt24.com", "creatologiest.com", "juststartmessy.com", "sady-rossii-ural.com", "blockchain-salt.com", "bestoflakegeorge.guide", "infinitymoversllc.com", "javelephant.com", "promocaozeraestoque.online", "p60p.com", "kreditineskorteleslt.com", "chronicfit.store", "onzep.store", "shafiqandmudasir.com", "vivemanku.online", "chengfengdh.xyz", "bets-bc-zrkqf.xyz", "cellparts10.com", "guardions.com", "talenue.store", "graffity-aws.com", "buddingwsetcg.top", "erikakorma.com", "playex.ltd", "jamaicarailways.com", "nfthunter.art", "ml-pilot.com", "athleteteas.com", "ruthdeliverance.info", "medicmir.store", "procurovariedades.com", "undermour01.club", "sneakeryeezy.com", "dallmann.info", "edm69.net", "micj7870.com", "silviomicalikush.xyz", "activa.store", "adeelnawaznj.com", "travispilat.com", "mercyships.kiwi", "amazon939.com", "talenterzllc.com", "sbxip.com", "phasernet.net", "taggalla.com", "pbspoolservices.com", "34gjm.xyz", "nuevochile.net", "busdijogja.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Contacts\fledrgqdoI.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x58:$hotkey: \x0AHotKey=9
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\Contacts\fledrgqdoI.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 76 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.0.DpiScaling.exe.72480000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.0.DpiScaling.exe.72480000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.0.DpiScaling.exe.72480000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        7.0.DpiScaling.exe.72480000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.DpiScaling.exe.72480000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 85 entries

          Sigma Overview

          System Summary

          barindex
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\Contacts\fledrgqdoI.url, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\7AYsP32Q7Y.exe, ProcessId: 2940, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Iodqgrdelf

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fyonkaly.com/ahc8/"], "decoy": ["methodicalservices.com", "lojahelius.com", "dxadxc.com", "keshaunharris.club", "hockeyengolfshop.online", "sherranmanning.com", "instylelimos.net", "plick-click.com", "tntexplode.com", "movement-practice.net", "nftlake.digital", "134171.com", "newhorizonseo.com", "lm-solar.com", "fahrrad-markt24.com", "creatologiest.com", "juststartmessy.com", "sady-rossii-ural.com", "blockchain-salt.com", "bestoflakegeorge.guide", "infinitymoversllc.com", "javelephant.com", "promocaozeraestoque.online", "p60p.com", "kreditineskorteleslt.com", "chronicfit.store", "onzep.store", "shafiqandmudasir.com", "vivemanku.online", "chengfengdh.xyz", "bets-bc-zrkqf.xyz", "cellparts10.com", "guardions.com", "talenue.store", "graffity-aws.com", "buddingwsetcg.top", "erikakorma.com", "playex.ltd", "jamaicarailways.com", "nfthunter.art", "ml-pilot.com", "athleteteas.com", "ruthdeliverance.info", "medicmir.store", "procurovariedades.com", "undermour01.club", "sneakeryeezy.com", "dallmann.info", "edm69.net", "micj7870.com", "silviomicalikush.xyz", "activa.store", "adeelnawaznj.com", "travispilat.com", "mercyships.kiwi", "amazon939.com", "talenterzllc.com", "sbxip.com", "phasernet.net", "taggalla.com", "pbspoolservices.com", "34gjm.xyz", "nuevochile.net", "busdijogja.com"]}
          Multi AV Scanner detection for submitted file
          Source: 7AYsP32Q7Y.exeVirustotal: Detection: 20%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeVirustotal: Detection: 20%Perma Link
          Source: 7.0.DpiScaling.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 19.0.DpiScaling.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 22.2.msiexec.exe.2eac4e8.1.unpackAvira: Label: TR/Patched.Ren.Gen8
          Source: 20.0.logagent.exe.72480000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.DpiScaling.exe.72480000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 19.2.DpiScaling.exe.72480000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.DpiScaling.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.0.logagent.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 19.0.DpiScaling.exe.72480000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.0.logagent.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.0.logagent.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.2.logagent.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 19.0.DpiScaling.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 19.0.DpiScaling.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.DpiScaling.exe.72480000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.DpiScaling.exe.72480000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7AYsP32Q7Y.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: Binary string: cscript.pdbUGP source: DpiScaling.exe, 00000007.00000002.550569455.00000000008C0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DpiScaling.exe, 00000007.00000002.552336636.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 00000007.00000002.552731025.000000000480F000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 00000013.00000002.540918949.00000000043CF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000016.00000002.579194787.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: DpiScaling.exe, DpiScaling.exe, 00000013.00000002.540918949.00000000043CF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000016.00000002.579194787.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: cscript.pdb source: DpiScaling.exe, 00000007.00000002.550569455.00000000008C0000.00000040.10000000.00040000.00000000.sdmp

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.fyonkaly.com/ahc8/
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.309723740.0000000000768000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Iodqgrdelf.exe, 00000009.00000003.412972906.000000000074F000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/D
          Source: Iodqgrdelf.exe, 00000009.00000003.408286510.000000000074F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=C38D15779
          Source: Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=C38D15779AFD1231&resid=C38D15779AFD1231%21112&authkey=AJglnSs
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 00000009.00000003.412972906.000000000074F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/ownload?cid=C38D15779AFD1231&resid=C38D15779AFD1231%21112&authkey=AJglnSs0
          Source: Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://onedrive.live.com/ve.live.com/
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.432603036.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.438634245.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/J
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 00000009.00000003.410519278.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 00000009.00000003.410740246.000000000075D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y4m423aJ2r6bprjijqR9Zhv79BsqXWchgBZ_yRRKAukc5TAIPNB4BdYAYidrCTJ4BkE
          Source: Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y4m4qzuMb9gIarzlKBTf0D1umDohf9Y3sIpL-K8zvk8UHM6XBD2Ajct4M-j4Gm20nJT
          Source: Iodqgrdelf.exe, 00000009.00000003.412998037.000000000075A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y4m8TXF6mlgGvccZFUvhwUh-l9zz_V1hgmOQiTI_douTr2wu7UlvtGbODDxtwhN0e5H
          Source: Iodqgrdelf.exe, 00000009.00000003.408295630.0000000000753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y4mC-JI5vs5pbHFPeZ5KI8vSY-Zm0BYG_DfYRphHWKBbqd0ouSRcXTjDbP2g5pIoI5u
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.309723740.0000000000768000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y4mPL6EaGmr7d1CmnxP8LzgR3rcH9luOFpR5APvojUZtRQCdMAq2C-_uZddZ6W0R9-N
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y4mXdCXgV78z93QBfcFjKJ0ucHs8CARh8saaIpZ0Zw4IJExL4V9d7aCID-8TYoLJ0Qx
          Source: Iodqgrdelf.exe, 0000000D.00000003.432603036.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.438634245.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.432635294.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.432387332.00000000007CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vru2ia.am.files.1drv.com/y4mqmZSB7T13rwuDyCkOltxUalsuuekof9Mak2JfMqUquSjRzSFu0dx_u0qHh2VQFIg
          Source: unknownDNS traffic detected: queries for: onedrive.live.com

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7AYsP32Q7Y.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Contacts\fledrgqdoI.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: C:\Users\user\Contacts\fledrgqdoI.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DD466
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472841F
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E1D55
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04710D20
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E2D07
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472D5E0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E25DD
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742581
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04736E30
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DD616
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E2EF7
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E1FF1
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047EDFCE
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047EE824
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1002
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E28EC
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047420A0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E20A8
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472B090
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04734120
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471F900
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E22AE
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E2B28
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D03DA
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DDBD2
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474EBB0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E841F
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391002
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043020A0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A20A8
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042EB090
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D0D20
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F4120
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DF900
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A2D07
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A1D55
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302581
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042ED5E0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F6E30
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A2EF7
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430EBB0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A1FF1
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 0471B150 appears 45 times
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 042DB150 appears 35 times
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759560 NtWriteFile,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0475AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047596D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0475A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0475A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0475B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0475A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043198F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043197A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0431B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0431AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319560 NtWriteFile,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043196D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0431A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0431A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04319760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0431A3B0 NtGetContextThread,
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.301545667.0000000003710000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebPicker4 vs 7AYsP32Q7Y.exe
          Source: 7AYsP32Q7Y.exe, 00000001.00000000.299731510.0000000000474000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWebPicker4 vs 7AYsP32Q7Y.exe
          Source: 7AYsP32Q7Y.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: 7AYsP32Q7Y.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Iodqgrdelf.exe.1.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Iodqgrdelf.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l .dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???t.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l .dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??i.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??i.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??i.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??i.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ????.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ?l.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???2.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ???b.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l .dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???t.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l .dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l .dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???t.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?f???.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2?????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l .dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??i.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ????.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ?l.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???2.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ???b.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??.dll
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeSection loaded: ??l.dll
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: 72480000 page execute and read and write
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: 72480000 page execute and read and write
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: 72480000 page no access
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: 72480000 page read and write
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: 72481000 page read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page no access
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72481000 page read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page no access
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72480000 page read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: 72481000 page read and write
          Source: 7AYsP32Q7Y.exeVirustotal: Detection: 20%
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeFile read: C:\Users\user\Desktop\7AYsP32Q7Y.exeJump to behavior
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\7AYsP32Q7Y.exe "C:\Users\user\Desktop\7AYsP32Q7Y.exe"
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\Contacts\Iodqgrdelf.exe "C:\Users\user\Contacts\Iodqgrdelf.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\Contacts\Iodqgrdelf.exe "C:\Users\user\Contacts\Iodqgrdelf.exe"
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\Contacts\Iodqgrdelf.exe "C:\Users\user\Contacts\Iodqgrdelf.exe"
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Iodqgrdelfemgrjgzrzpbewqyzpzqin[1]Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@13/6@7/0
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: cscript.pdbUGP source: DpiScaling.exe, 00000007.00000002.550569455.00000000008C0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DpiScaling.exe, 00000007.00000002.552336636.00000000046F0000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 00000007.00000002.552731025.000000000480F000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 00000013.00000002.540918949.00000000043CF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000016.00000002.579194787.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: DpiScaling.exe, DpiScaling.exe, 00000013.00000002.540918949.00000000043CF000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000016.00000002.579194787.0000000004E3F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: cscript.pdb source: DpiScaling.exe, 00000007.00000002.550569455.00000000008C0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0476D0D1 push ecx; ret
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85995 push eax; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85995 push eax; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85B44 push esi; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85B44 push esi; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A870F6 push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A870F6 push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8906B push esp; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8906B push esp; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8806C push es; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8806C push es; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87E6E push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87E6E push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87656 push esp; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87656 push esp; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85995 push eax; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85995 push eax; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85B44 push esi; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A85B44 push esi; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A870F6 push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A870F6 push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8906B push esp; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8906B push esp; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8806C push es; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A8806C push es; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87E6E push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87E6E push cs; iretd
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87656 push esp; retf
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeCode function: 13_3_03A87656 push esp; retf
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0432D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeFile created: C:\Users\user\Contacts\Iodqgrdelf.exeJump to dropped file
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IodqgrdelfJump to behavior
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IodqgrdelfJump to behavior
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\DpiScaling.exeRDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\DpiScaling.exeRDTSC instruction interceptor: First address: 000000007248898E second address: 0000000072488994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeRDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\logagent.exeRDTSC instruction interceptor: First address: 000000007248898E second address: 0000000072488994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000008B8604 second address: 00000000008B860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000008B898E second address: 00000000008B8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04756DE6 rdtsc
          Source: C:\Windows\SysWOW64\DpiScaling.exeAPI coverage: 5.9 %
          Source: C:\Windows\SysWOW64\DpiScaling.exeAPI coverage: 6.2 %
          Source: C:\Windows\SysWOW64\DpiScaling.exeProcess information queried: ProcessInformation
          Source: explorer.exe, 00000008.00000000.400081450.000000000EED4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}bwe
          Source: explorer.exe, 00000008.00000000.420887427.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.421067968.000000000875B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000008.00000000.420887427.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000008.00000000.392252295.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.392252295.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.314786849.0000000000735000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363059633.0000000000735000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000008.00000000.400081450.000000000EED4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.427008416.000000000EF1B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AppD
          Source: explorer.exe, 00000008.00000000.400081450.000000000EED4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}sapps_1
          Source: 7AYsP32Q7Y.exe, 00000001.00000003.314786849.0000000000735000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363059633.0000000000735000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW,
          Source: explorer.exe, 00000008.00000000.420887427.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04756DE6 rdtsc
          Source: C:\Windows\SysWOW64\DpiScaling.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04737D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04753D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04793540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047C3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04723D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0479A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04744D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04744D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04744D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04796DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04741DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04741DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04741DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04712D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04712D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04712D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04712D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04712D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04727E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04727E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04727E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04727E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04727E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04727E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04748E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04758EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04714F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04714F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04728794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04797794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04797794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04797794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04730050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04730050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04797016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04797016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04797016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047140E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047158EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047AB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047420A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04793884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04793884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04734120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04734120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04734120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04734120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04734120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0475927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047CB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047A4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04719240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04754A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04754A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04715210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04715210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04715210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04715210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04733A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04728A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0472AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04743B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04743B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0471DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0473DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04744BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04744BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04744BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047E5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04742397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_0474B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047D138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_047CD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04721B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04721B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04357016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04357016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04357016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04392073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04353884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04353884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0435A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04304D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04304D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04304D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04313D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04353540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04301DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04301DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04301DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04388DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04356DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0438FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04314A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04314A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04308E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04391608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042F3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0431927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0438B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0438B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04364257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042E76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04318EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0438FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04302ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0439131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0436FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_043A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042FF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_0430A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04303B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_04303B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 19_2_042DDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\DpiScaling.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\DpiScaling.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\logagent.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 7_2_04759540 NtReadFile,LdrInitializeThunk,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 9F0000
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: DF0000
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\logagent.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\logagent.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 690000
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 6A0000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 140000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 150000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 72480000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: D80000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: D90000
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 690000 protect: page execute and read and write
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 6A0000 protect: page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000 protect: page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 140000 protect: page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 150000 protect: page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: 72480000 protect: page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: D80000 protect: page execute and read and write
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory allocated: C:\Windows\SysWOW64\logagent.exe base: D90000 protect: page execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000 value starts with: 4D5A
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000 value starts with: 4D5A
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeMemory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\DpiScaling.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\DpiScaling.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\DpiScaling.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\DpiScaling.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\logagent.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\logagent.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3352
          Creates a thread in another existing process (thread injection)
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 6A0000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeThread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 150000
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeThread created: C:\Windows\SysWOW64\logagent.exe EIP: D90000
          Source: C:\Users\user\Desktop\7AYsP32Q7Y.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeProcess created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
          Source: explorer.exe, 00000008.00000000.388552936.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.407078346.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.436325364.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.510076819.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000008.00000000.388839849.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.437001992.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.407437943.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.511597253.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.409960799.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.388839849.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.444658827.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.437001992.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.407437943.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.511597253.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.392134127.0000000005E10000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.388839849.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.437001992.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.407437943.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.511597253.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.388839849.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.437001992.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.407437943.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.511597253.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000008.00000000.462908991.000000000875B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.396887667.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.421067968.000000000875B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Contacts\Iodqgrdelf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.2.DpiScaling.exe.72480000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 19.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          Registry Run Keys / Startup Folder          		812
          Process Injection          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Registry Run Keys / Startup Folder          		1
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Non-Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)1
          DLL Side-Loading          		812
          Process Injection          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets12
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Software Packing          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562059 Sample: 7AYsP32Q7Y Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 39 www.graffity-aws.com 2->39 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 2 other signatures 2->65 10 7AYsP32Q7Y.exe 1 17 2->10         started        signatures3 process4 dnsIp5 53 vru2ia.am.files.1drv.com 10->53 55 onedrive.live.com 10->55 57 am-files.fe.1drv.com 10->57 35 C:\Users\user\Contacts\Iodqgrdelf.exe, PE32 10->35 dropped 37 C:\Users\...\Iodqgrdelf.exe:Zone.Identifier, ASCII 10->37 dropped 83 Writes to foreign memory regions 10->83 85 Allocates memory in foreign processes 10->85 87 Creates a thread in another existing process (thread injection) 10->87 89 Injects a PE file into a foreign processes 10->89 15 DpiScaling.exe 10->15         started        file6 signatures7 process8 signatures9 99 Modifies the context of a thread in another process (thread injection) 15->99 101 Maps a DLL or memory area into another process 15->101 103 Sample uses process hollowing technique 15->103 105 2 other signatures 15->105 18 explorer.exe 2 15->18 injected process10 process11 20 Iodqgrdelf.exe 15 18->20         started        24 Iodqgrdelf.exe 15 18->24         started        26 msiexec.exe 18->26         started        28 2 other processes 18->28 dnsIp12 41 vru2ia.am.files.1drv.com 20->41 43 onedrive.live.com 20->43 45 am-files.fe.1drv.com 20->45 67 Multi AV Scanner detection for dropped file 20->67 69 Writes to foreign memory regions 20->69 71 Allocates memory in foreign processes 20->71 30 DpiScaling.exe 20->30         started        47 vru2ia.am.files.1drv.com 24->47 49 onedrive.live.com 24->49 51 am-files.fe.1drv.com 24->51 73 Creates a thread in another existing process (thread injection) 24->73 75 Injects a PE file into a foreign processes 24->75 33 logagent.exe 24->33         started        77 Modifies the context of a thread in another process (thread injection) 26->77 79 Maps a DLL or memory area into another process 26->79 81 Tries to detect virtualization through RDTSC time measurements 28->81 signatures13 process14 signatures15 91 Modifies the context of a thread in another process (thread injection) 30->91 93 Maps a DLL or memory area into another process 30->93 95 Sample uses process hollowing technique 30->95 97 Tries to detect virtualization through RDTSC time measurements 33->97

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          7AYsP32Q7Y.exe21%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\Contacts\Iodqgrdelf.exe21%VirustotalBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.0.DpiScaling.exe.72480000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          19.0.DpiScaling.exe.72480000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          22.2.msiexec.exe.2eac4e8.1.unpack100%AviraTR/Patched.Ren.Gen8Download File
          20.0.logagent.exe.72480000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.DpiScaling.exe.72480000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          19.2.DpiScaling.exe.72480000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.DpiScaling.exe.72480000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          20.0.logagent.exe.72480000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          19.0.DpiScaling.exe.72480000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          20.0.logagent.exe.72480000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          20.0.logagent.exe.72480000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          20.2.logagent.exe.72480000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          19.0.DpiScaling.exe.72480000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          19.0.DpiScaling.exe.72480000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.DpiScaling.exe.72480000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.0.DpiScaling.exe.72480000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.fyonkaly.com/ahc8/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          onedrive.live.com
          		unknown
          		unknownfalse
            		high
            vru2ia.am.files.1drv.com
            		unknown
            		unknownfalse
              		high
              www.graffity-aws.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.fyonkaly.com/ahc8/true
                • Avira URL Cloud: safe
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://vru2ia.am.files.1drv.com/y4m423aJ2r6bprjijqR9Zhv79BsqXWchgBZ_yRRKAukc5TAIPNB4BdYAYidrCTJ4BkE7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 00000009.00000003.410519278.000000000075D000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 00000009.00000003.410740246.000000000075D000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://vru2ia.am.files.1drv.com/y4mqmZSB7T13rwuDyCkOltxUalsuuekof9Mak2JfMqUquSjRzSFu0dx_u0qHh2VQFIgIodqgrdelf.exe, 0000000D.00000003.432603036.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.438634245.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.432635294.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.432387332.00000000007CF000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://onedrive.live.com/download?cid=C38D15779Iodqgrdelf.exe, 00000009.00000003.408286510.000000000074F000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://vru2ia.am.files.1drv.com/y4m8TXF6mlgGvccZFUvhwUh-l9zz_V1hgmOQiTI_douTr2wu7UlvtGbODDxtwhN0e5HIodqgrdelf.exe, 00000009.00000003.412998037.000000000075A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://vru2ia.am.files.1drv.com/y7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://vru2ia.am.files.1drv.com/y4mC-JI5vs5pbHFPeZ5KI8vSY-Zm0BYG_DfYRphHWKBbqd0ouSRcXTjDbP2g5pIoI5uIodqgrdelf.exe, 00000009.00000003.408295630.0000000000753000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://onedrive.live.com/ve.live.com/Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://onedrive.live.com/D7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://vru2ia.am.files.1drv.com/y4m4qzuMb9gIarzlKBTf0D1umDohf9Y3sIpL-K8zvk8UHM6XBD2Ajct4M-j4Gm20nJTIodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://vru2ia.am.files.1drv.com/y4mXdCXgV78z93QBfcFjKJ0ucHs8CARh8saaIpZ0Zw4IJExL4V9d7aCID-8TYoLJ0Qx7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://onedrive.live.com/download?cid=C38D15779AFD1231&resid=C38D15779AFD1231%21112&authkey=AJglnSsIodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://vru2ia.am.files.1drv.com/7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.432603036.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.438634245.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://onedrive.live.com/Iodqgrdelf.exe, 00000009.00000003.412972906.000000000074F000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 0000000D.00000003.442577155.00000000007C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://onedrive.live.com/ownload?cid=C38D15779AFD1231&resid=C38D15779AFD1231%21112&authkey=AJglnSs07AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, Iodqgrdelf.exe, 00000009.00000003.412972906.000000000074F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://vru2ia.am.files.1drv.com/J7AYsP32Q7Y.exe, 00000001.00000003.314806769.0000000000758000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.312295068.000000000075F000.00000004.00000020.00020000.00000000.sdmp, 7AYsP32Q7Y.exe, 00000001.00000003.363106403.0000000000758000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                              Analysis ID:562059
                                              Start date:28.01.2022
                                              Start time:11:09:41
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 12m 55s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:7AYsP32Q7Y (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:26
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@13/6@7/0
                                              EGA Information:
                                              • Successful, ratio: 40%
                                              HDC Information:
                                              • Successful, ratio: 100% (good quality ratio 86.4%)
                                              • Quality average: 71.2%
                                              • Quality standard deviation: 33.8%
                                              HCA Information:
                                              • Successful, ratio: 68%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 13.107.43.13, 13.107.42.12, 13.107.42.13
                                              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odc-web-geo.onedrive.akadns.net, arc.msn.com, l-0004.dc-msedge.net, ris.api.iris.microsoft.com, l-0004.l-msedge.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, odc-am-files-geo.onedrive.akadns.net, displaycatalog.mp.microsoft.com, am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, odc-am-files-brs.onedrive.akadns.net
                                              • Execution Graph export aborted for target 7AYsP32Q7Y.exe, PID 2940 because there are no executed function
                                              • Execution Graph export aborted for target Iodqgrdelf.exe, PID 1244 because there are no executed function
                                              • Execution Graph export aborted for target Iodqgrdelf.exe, PID 4140 because there are no executed function
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:10:43API Interceptor1x Sleep call for process: 7AYsP32Q7Y.exe modified
                                              11:11:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Iodqgrdelf C:\Users\user\Contacts\fledrgqdoI.url
                                              11:11:30AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Iodqgrdelf C:\Users\user\Contacts\fledrgqdoI.url
                                              11:11:31API Interceptor2x Sleep call for process: Iodqgrdelf.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Iodqgrdelfemgrjgzrzpbewqyzpzqin[1]

                                              Download File
                                              Process:C:\Users\user\Desktop\7AYsP32Q7Y.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):514560
                                              Entropy (8bit):7.996921857364207
                                              Encrypted:true
                                              SSDEEP:12288:4oPY/z8ZupMNRLMkbKYR+TegyIieXpcA/baXOo6T6:JRgmVbrR+nyIhZcV16T6
                                              MD5:F704A769D6C264FFB852E355C7B4AA2A
                                              SHA1:812C3E16D504F9EBB89595ADEC614CB92AE381E7
                                              SHA-256:DE66BB19CDBE25449A76FFBB95D750FB1E16A54BFBC88A4258ECEBDF1D9322E1
                                              SHA-512:E8F56CB2EE8CF49764CCC879C17B430378181805180455BDC7D795F5F1710AF77FBFCF2D07B25AAB32CA46CEBAFA239F074FFFD4EABAE1BE7C0E70CB2A0398A1
                                              Malicious:false
                                              Reputation:low
                                              Preview:..J.R.. i'.......{.Uw..=...s..N....<7.o!..+...l.......s......{.)..)..........$vB......`.%.,.-.w.........`..s........X....Qk g j.H....q:1...T...Z...n...B.8%.}.AZ..V..q.........+.f....V..q..._.a...Uq0.l.l.....w.$y.......u.!......_.K].F....d.#....f....4/..WzEJ.i-..AZ.a.g o).d..5.Si1.?..{....vOg49..~V.'....8/...EJ.i-..^...~^..j.].'.n...!..9..4&s.M`.m:9...........+.f.......{.Uw...~[........).....a._....+..#..$|^.....KX..{.H..o!.w..].......H./...e.P..3..Z..../....zT..~..:"`....:@.....Ub.}.l.{.m.......R..E].J..?....m,....+..]oI'.......>/..V.h.`../.g.*w...<#.3..7..7.....B.....*.....2l.....Z..u..C~MN.j...A[%./.g....+.R.)...X.f..J.........l.[.S^...l..j..X..R......f.k^.n....h.m,......#..@.m..`!..m.u.{.#.......c&H.K?.p....V..F.u..%.W.`..Gat@.(qQ(..o...1C.....>.B....y...1@.m.....sE..(...X.*...@..`...~.y.DE.Q....K...s).#n@~@DWz$......u...*..KXrxk.,5..... .@..q....|<QX...7.H....z..X..`.....B.F...b!..+........l........u.....-....b......H.W..5.

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\Iodqgrdelfemgrjgzrzpbewqyzpzqin[1]

                                              Download File
                                              Process:C:\Users\user\Contacts\Iodqgrdelf.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):514560
                                              Entropy (8bit):7.996921857364207
                                              Encrypted:true
                                              SSDEEP:12288:4oPY/z8ZupMNRLMkbKYR+TegyIieXpcA/baXOo6T6:JRgmVbrR+nyIhZcV16T6
                                              MD5:F704A769D6C264FFB852E355C7B4AA2A
                                              SHA1:812C3E16D504F9EBB89595ADEC614CB92AE381E7
                                              SHA-256:DE66BB19CDBE25449A76FFBB95D750FB1E16A54BFBC88A4258ECEBDF1D9322E1
                                              SHA-512:E8F56CB2EE8CF49764CCC879C17B430378181805180455BDC7D795F5F1710AF77FBFCF2D07B25AAB32CA46CEBAFA239F074FFFD4EABAE1BE7C0E70CB2A0398A1
                                              Malicious:false
                                              Preview:..J.R.. i'.......{.Uw..=...s..N....<7.o!..+...l.......s......{.)..)..........$vB......`.%.,.-.w.........`..s........X....Qk g j.H....q:1...T...Z...n...B.8%.}.AZ..V..q.........+.f....V..q..._.a...Uq0.l.l.....w.$y.......u.!......_.K].F....d.#....f....4/..WzEJ.i-..AZ.a.g o).d..5.Si1.?..{....vOg49..~V.'....8/...EJ.i-..^...~^..j.].'.n...!..9..4&s.M`.m:9...........+.f.......{.Uw...~[........).....a._....+..#..$|^.....KX..{.H..o!.w..].......H./...e.P..3..Z..../....zT..~..:"`....:@.....Ub.}.l.{.m.......R..E].J..?....m,....+..]oI'.......>/..V.h.`../.g.*w...<#.3..7..7.....B.....*.....2l.....Z..u..C~MN.j...A[%./.g....+.R.)...X.f..J.........l.[.S^...l..j..X..R......f.k^.n....h.m,......#..@.m..`!..m.u.{.#.......c&H.K?.p....V..F.u..%.W.`..Gat@.(qQ(..o...1C.....>.B....y...1@.m.....sE..(...X.*...@..`...~.y.DE.Q....K...s).#n@~@DWz$......u...*..KXrxk.,5..... .@..q....|<QX...7.H....z..X..`.....B.F...b!..+........l........u.....-....b......H.W..5.

                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\Iodqgrdelfemgrjgzrzpbewqyzpzqin[1]

                                              Download File
                                              Process:C:\Users\user\Contacts\Iodqgrdelf.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):514560
                                              Entropy (8bit):7.996921857364207
                                              Encrypted:true
                                              SSDEEP:12288:4oPY/z8ZupMNRLMkbKYR+TegyIieXpcA/baXOo6T6:JRgmVbrR+nyIhZcV16T6
                                              MD5:F704A769D6C264FFB852E355C7B4AA2A
                                              SHA1:812C3E16D504F9EBB89595ADEC614CB92AE381E7
                                              SHA-256:DE66BB19CDBE25449A76FFBB95D750FB1E16A54BFBC88A4258ECEBDF1D9322E1
                                              SHA-512:E8F56CB2EE8CF49764CCC879C17B430378181805180455BDC7D795F5F1710AF77FBFCF2D07B25AAB32CA46CEBAFA239F074FFFD4EABAE1BE7C0E70CB2A0398A1
                                              Malicious:false
                                              Preview:..J.R.. i'.......{.Uw..=...s..N....<7.o!..+...l.......s......{.)..)..........$vB......`.%.,.-.w.........`..s........X....Qk g j.H....q:1...T...Z...n...B.8%.}.AZ..V..q.........+.f....V..q..._.a...Uq0.l.l.....w.$y.......u.!......_.K].F....d.#....f....4/..WzEJ.i-..AZ.a.g o).d..5.Si1.?..{....vOg49..~V.'....8/...EJ.i-..^...~^..j.].'.n...!..9..4&s.M`.m:9...........+.f.......{.Uw...~[........).....a._....+..#..$|^.....KX..{.H..o!.w..].......H./...e.P..3..Z..../....zT..~..:"`....:@.....Ub.}.l.{.m.......R..E].J..?....m,....+..]oI'.......>/..V.h.`../.g.*w...<#.3..7..7.....B.....*.....2l.....Z..u..C~MN.j...A[%./.g....+.R.)...X.f..J.........l.[.S^...l..j..X..R......f.k^.n....h.m,......#..@.m..`!..m.u.{.#.......c&H.K?.p....V..F.u..%.W.`..Gat@.(qQ(..o...1C.....>.B....y...1@.m.....sE..(...X.*...@..`...~.y.DE.Q....K...s).#n@~@DWz$......u...*..KXrxk.,5..... .@..q....|<QX...7.H....z..X..`.....B.F...b!..+........l........u.....-....b......H.W..5.

                                              C:\Users\user\Contacts\Iodqgrdelf.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\7AYsP32Q7Y.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):755200
                                              Entropy (8bit):7.005601638187975
                                              Encrypted:false
                                              SSDEEP:12288:0HZspw3ZruZb100eubQXXEcIi0FyoADygqwqmLjnEiCHcFaLcpXAAAAAAAAAAAA3:MZAws11Q7XU0G/Tgq/KjRd
                                              MD5:6AE185CE909F0B66306100824C28BAD1
                                              SHA1:5F23A2D4B2C564C95606E537E557AA8251087746
                                              SHA-256:074991CEFC03A7683CB3C81E83C383010F45C130FDC6DAFA13469BFFFAF87867
                                              SHA-512:01931C4D70F045957AA012A8912F483E11E0F069CEE8FD304ACC4CB7E44C838ABBE1EA870D0E13EF8573967845AB2E1102D47EB76CE6B688904CEACAA8258EF7
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Virustotal, Detection: 21%, Browse
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@..............................Z$.......&...................@...|...........................0......................................................CODE................................ ..`DATA................................@...BSS.....y................................idata..Z$.......&..................@....tls......... ...........................rdata.......0......................@..P.reloc...|...@...~..................@..P.rsrc....&.......&...`..............@..P....................................@..P........................................................................................................................................

                                              C:\Users\user\Contacts\Iodqgrdelf.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\7AYsP32Q7Y.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\Contacts\fledrgqdoI.url

                                              Download File
                                              Process:C:\Users\user\Desktop\7AYsP32Q7Y.exe
                                              File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Contacts\\Iodqgrdelf.exe">), ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):100
                                              Entropy (8bit):4.911112255802877
                                              Encrypted:false
                                              SSDEEP:3:HRAbABGQYmTWAX+T+Bf5riBh+DJSsGKdxz99:HRYFVmTWD0pS8JSsbxz99
                                              MD5:8AEF44E0A98FD56ED77423FDDCD711B9
                                              SHA1:D82A06AE8CF35F01F2D78BD604275278F6A85EFE
                                              SHA-256:AE2FB8809149F38B1D0B5861B098D59B8D816C314376192578DDB6C185DAAC3E
                                              SHA-512:6329F16E671C13700A18D86B9114CDD6E878FA46216B81B7DEACD491AACB39EFEA8F7CB23E4E9CA80659727BBBB8DBAE6E1FF2A8ED7A936F51D4628C5A5CADAB
                                              Malicious:false
                                              Yara Hits:
                                              • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\Contacts\fledrgqdoI.url, Author: @itsreallynick (Nick Carr)
                                              • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\Contacts\fledrgqdoI.url, Author: @itsreallynick (Nick Carr)
                                              Preview:[InternetShortcut]..URL=file:"C:\\Users\\user\\Contacts\\Iodqgrdelf.exe"..IconIndex=98..HotKey=96..

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.005601638187975
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 90.87%
                                              • Win32 Executable Borland Delphi 7 (665061/41) 6.04%
                                              • Win32 Executable Borland Delphi 6 (262906/60) 2.39%
                                              • InstallShield setup (43055/19) 0.39%
                                              • Win32 Executable Delphi generic (14689/80) 0.13%
                                              File name:7AYsP32Q7Y.exe
                                              File size:755200
                                              MD5:6ae185ce909f0b66306100824c28bad1
                                              SHA1:5f23a2d4b2c564c95606e537e557aa8251087746
                                              SHA256:074991cefc03a7683cb3c81e83c383010f45c130fdc6dafa13469bfffaf87867
                                              SHA512:01931c4d70f045957aa012a8912f483e11e0f069cee8fd304acc4cb7e44c838abbe1ea870d0e13ef8573967845ab2e1102d47eb76ce6b688904ceacaa8258ef7
                                              SSDEEP:12288:0HZspw3ZruZb100eubQXXEcIi0FyoADygqwqmLjnEiCHcFaLcpXAAAAAAAAAAAA3:MZAws11Q7XU0G/Tgq/KjRd
                                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                              File Icon

                                              Icon Hash:489998145269a410

                                              Static PE Info

                                              General

                                              Entrypoint:0x46b100
                                              Entrypoint Section:CODE
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                                              DLL Characteristics:
                                              Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:c619ea405247cf4221d817e5b12ed8a6

                                              Entrypoint Preview

                                              Instruction
                                              push ebp
                                              mov ebp, esp
                                              add esp, FFFFFFF0h
                                              mov eax, 0046AE78h
                                              call 00007F8D4CBFED25h
                                              mov eax, dword ptr [0046D228h]
                                              mov eax, dword ptr [eax]
                                              call 00007F8D4CC52CCDh
                                              mov eax, dword ptr [0046D228h]
                                              mov eax, dword ptr [eax]
                                              mov edx, 0046B178h
                                              call 00007F8D4CC528A4h
                                              mov ecx, dword ptr [0046D00Ch]
                                              mov eax, dword ptr [0046D228h]
                                              mov eax, dword ptr [eax]
                                              mov edx, dword ptr [00469E74h]
                                              call 00007F8D4CC52CBCh
                                              mov ecx, dword ptr [0046D244h]
                                              mov eax, dword ptr [0046D228h]
                                              mov eax, dword ptr [eax]
                                              mov edx, dword ptr [0045F4F4h]
                                              call 00007F8D4CC52CA4h
                                              mov eax, dword ptr [0046D228h]
                                              mov eax, dword ptr [eax]
                                              call 00007F8D4CC52D18h
                                              call 00007F8D4CBFC957h
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x6f0000x245a.idata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x42600.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x740000x7c9c.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x730000x18.rdata
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              CODE0x10000x6a1840x6a200False0.517368779446data6.52141598847IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              DATA0x6c0000x13c80x1400False0.4458984375data4.17742129745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              BSS0x6e0000xd790x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .idata0x6f0000x245a0x2600False0.353412828947data4.92014889215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .tls0x720000x100x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .rdata0x730000x180x200False0.05078125data0.203013767787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                              .reloc0x740000x7c9c0x7e00False0.602833581349data6.67533219029IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
                                              .rsrc0x7c0000x426000x42600False0.431210275424data6.9822034515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              DE_KMSIZ0x7d38c0x2c683RIFF (little-endian) data, WAVE audio, Microsoft PCM, 8 bit, mono 11025 HzEnglishUnited States
                                              RT_CURSOR0xa9a100x134data
                                              RT_CURSOR0xa9b440x134data
                                              RT_CURSOR0xa9c780x134data
                                              RT_CURSOR0xa9dac0x134data
                                              RT_CURSOR0xa9ee00x134data
                                              RT_CURSOR0xaa0140x134data
                                              RT_CURSOR0xaa1480x134data
                                              RT_BITMAP0xaa27c0x1d0data
                                              RT_BITMAP0xaa44c0x1e4data
                                              RT_BITMAP0xaa6300x1d0data
                                              RT_BITMAP0xaa8000x1d0data
                                              RT_BITMAP0xaa9d00x1d0data
                                              RT_BITMAP0xaaba00x1d0data
                                              RT_BITMAP0xaad700x1d0data
                                              RT_BITMAP0xaaf400x1d0data
                                              RT_BITMAP0xab1100x1d0data
                                              RT_BITMAP0xab2e00x1d0data
                                              RT_BITMAP0xab4b00x128data
                                              RT_BITMAP0xab5d80x128data
                                              RT_BITMAP0xab7000x128data
                                              RT_BITMAP0xab8280xe8data
                                              RT_BITMAP0xab9100x128data
                                              RT_BITMAP0xaba380x128data
                                              RT_BITMAP0xabb600xd0data
                                              RT_BITMAP0xabc300x128data
                                              RT_BITMAP0xabd580x128data
                                              RT_BITMAP0xabe800x128data
                                              RT_BITMAP0xabfa80x128data
                                              RT_BITMAP0xac0d00x128data
                                              RT_BITMAP0xac1f80xe8data
                                              RT_BITMAP0xac2e00x128data
                                              RT_BITMAP0xac4080x128data
                                              RT_BITMAP0xac5300xd0data
                                              RT_BITMAP0xac6000x128data
                                              RT_BITMAP0xac7280x128data
                                              RT_BITMAP0xac8500x128data
                                              RT_BITMAP0xac9780x128data
                                              RT_BITMAP0xacaa00x128data
                                              RT_BITMAP0xacbc80xe8data
                                              RT_BITMAP0xaccb00x128data
                                              RT_BITMAP0xacdd80x128data
                                              RT_BITMAP0xacf000xd0data
                                              RT_BITMAP0xacfd00x128data
                                              RT_BITMAP0xad0f80x128data
                                              RT_BITMAP0xad2200xe8GLS_BINARY_LSB_FIRSTEnglishUnited States
                                              RT_ICON0xad3080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                              RT_ICON0xad7700x988dataEnglishUnited States
                                              RT_ICON0xae0f80x10a8dataEnglishUnited States
                                              RT_ICON0xaf1a00x25a8dataEnglishUnited States
                                              RT_ICON0xb17480x94a8dataEnglishUnited States
                                              RT_DIALOG0xbabf00x52data
                                              RT_STRING0xbac440x378data
                                              RT_STRING0xbafbc0x1ccdata
                                              RT_STRING0xbb1880x188data
                                              RT_STRING0xbb3100x1b0data
                                              RT_STRING0xbb4c00x304data
                                              RT_STRING0xbb7c40xdcdata
                                              RT_STRING0xbb8a00x130data
                                              RT_STRING0xbb9d00x268data
                                              RT_STRING0xbbc380x41cdata
                                              RT_STRING0xbc0540x370data
                                              RT_STRING0xbc3c40x3e4data
                                              RT_STRING0xbc7a80x234data
                                              RT_STRING0xbc9dc0xecdata
                                              RT_STRING0xbcac80x1b4data
                                              RT_STRING0xbcc7c0x3e4data
                                              RT_STRING0xbd0600x358data
                                              RT_STRING0xbd3b80x2b4data
                                              RT_RCDATA0xbd66c0x10data
                                              RT_RCDATA0xbd67c0x368data
                                              RT_RCDATA0xbd9e40x689Delphi compiled form 'T__1731424838'
                                              RT_GROUP_CURSOR0xbe0700x14Lotus unknown worksheet or configuration, revision 0x1
                                              RT_GROUP_CURSOR0xbe0840x14Lotus unknown worksheet or configuration, revision 0x1
                                              RT_GROUP_CURSOR0xbe0980x14Lotus unknown worksheet or configuration, revision 0x1
                                              RT_GROUP_CURSOR0xbe0ac0x14Lotus unknown worksheet or configuration, revision 0x1
                                              RT_GROUP_CURSOR0xbe0c00x14Lotus unknown worksheet or configuration, revision 0x1
                                              RT_GROUP_CURSOR0xbe0d40x14Lotus unknown worksheet or configuration, revision 0x1
                                              RT_GROUP_CURSOR0xbe0e80x14Lotus unknown worksheet or configuration, revision 0x1
                                              RT_GROUP_ICON0xbe0fc0x4cdataEnglishUnited States
                                              RT_VERSION0xbe1480x360dataFrenchFrance

                                              Imports

                                              DLLImport
                                              kernel32.dllDeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
                                              user32.dllGetKeyboardType, LoadStringA, MessageBoxA, CharNextA
                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                              oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                              kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
                                              advapi32.dllRegQueryValueExA, RegOpenKeyExA, RegCloseKey
                                              kernel32.dlllstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryW, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle, AddAtomW
                                              version.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
                                              gdi32.dllUnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CloseEnhMetaFile, BitBlt
                                              user32.dllCreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
                                              kernel32.dllSleep
                                              oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
                                              ole32.dllCreateStreamOnHGlobal, IsAccelerator, OleDraw, OleSetMenuDescriptor, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
                                              oleaut32.dllGetErrorInfo, SysFreeString
                                              comctl32.dllImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
                                              wininet.dllInternetReadFile, InternetOpenUrlA, InternetOpenA, InternetCloseHandle

                                              Version Infos

                                              DescriptionData
                                              LegalCopyrightLEVEUGLE Damien (c) 2005
                                              InternalNameWebPicker
                                              FileVersion1.0.0.0
                                              CompanyNameLEVEUGLE Damien
                                              LegalTrademarksLEVEUGLE Damien
                                              CommentsEn Beta Test
                                              ProductNameWebPicker
                                              ProductVersion1.0.0.0
                                              FileDescriptionTelechargeur de ressources Web
                                              OriginalFilenameWebPicker
                                              Translation0x040c 0x04e4

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States
                                              FrenchFrance

                                              Network Behavior

                                              Network Port Distribution

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Jan 28, 2022 11:10:44.464739084 CET5787553192.168.2.38.8.8.8
                                              Jan 28, 2022 11:10:48.005846024 CET5415453192.168.2.38.8.8.8
                                              Jan 28, 2022 11:11:33.007854939 CET5391053192.168.2.38.8.8.8
                                              Jan 28, 2022 11:11:33.981616020 CET6402153192.168.2.38.8.8.8
                                              Jan 28, 2022 11:11:43.113132954 CET6078453192.168.2.38.8.8.8
                                              Jan 28, 2022 11:11:45.412658930 CET5114353192.168.2.38.8.8.8
                                              Jan 28, 2022 11:12:58.804780006 CET5265053192.168.2.38.8.8.8
                                              Jan 28, 2022 11:12:58.857992887 CET53526508.8.8.8192.168.2.3

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Jan 28, 2022 11:10:44.464739084 CET192.168.2.38.8.8.80x78f7Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 11:10:48.005846024 CET192.168.2.38.8.8.80xbb70Standard query (0)vru2ia.am.files.1drv.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 11:11:33.007854939 CET192.168.2.38.8.8.80x94abStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 11:11:33.981616020 CET192.168.2.38.8.8.80xafd3Standard query (0)vru2ia.am.files.1drv.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 11:11:43.113132954 CET192.168.2.38.8.8.80xdd6dStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 11:11:45.412658930 CET192.168.2.38.8.8.80x4525Standard query (0)vru2ia.am.files.1drv.comA (IP address)IN (0x0001)
                                              Jan 28, 2022 11:12:58.804780006 CET192.168.2.38.8.8.80x47dcStandard query (0)www.graffity-aws.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Jan 28, 2022 11:10:44.484038115 CET8.8.8.8192.168.2.30x78f7No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:10:48.083122015 CET8.8.8.8192.168.2.30xbb70No error (0)vru2ia.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:10:48.083122015 CET8.8.8.8192.168.2.30xbb70No error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:11:33.027973890 CET8.8.8.8192.168.2.30x94abNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:11:34.151417017 CET8.8.8.8192.168.2.30xafd3No error (0)vru2ia.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:11:34.151417017 CET8.8.8.8192.168.2.30xafd3No error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:11:43.141356945 CET8.8.8.8192.168.2.30xdd6dNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:11:45.958548069 CET8.8.8.8192.168.2.30x4525No error (0)vru2ia.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:11:45.958548069 CET8.8.8.8192.168.2.30x4525No error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                              Jan 28, 2022 11:12:58.857992887 CET8.8.8.8192.168.2.30x47dcName error (3)www.graffity-aws.comnonenoneA (IP address)IN (0x0001)

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:1
                                              Start time:11:10:42
                                              Start date:28/01/2022
                                              Path:C:\Users\user\Desktop\7AYsP32Q7Y.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\7AYsP32Q7Y.exe"
                                              Imagebase:0x400000
                                              File size:755200 bytes
                                              MD5 hash:6AE185CE909F0B66306100824C28BAD1
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:low

                                              General

                                              Target ID:7
                                              Start time:11:11:20
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\DpiScaling.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\DpiScaling.exe
                                              Imagebase:0x970000
                                              File size:77312 bytes
                                              MD5 hash:302B1BBDBF4D96BEE99C6B45680CEB5E
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.382181653.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.382731911.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.551622054.0000000004360000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.549878995.0000000000760000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.382462227.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.381928025.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.554263444.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              General

                                              Target ID:8
                                              Start time:11:11:23
                                              Start date:28/01/2022
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0x7ff720ea0000
                                              File size:3933184 bytes
                                              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.429270100.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.496447356.000000000FA29000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              General

                                              Target ID:9
                                              Start time:11:11:30
                                              Start date:28/01/2022
                                              Path:C:\Users\user\Contacts\Iodqgrdelf.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Contacts\Iodqgrdelf.exe"
                                              Imagebase:0x400000
                                              File size:755200 bytes
                                              MD5 hash:6AE185CE909F0B66306100824C28BAD1
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:Borland Delphi
                                              Antivirus matches:
                                              • Detection: 21%, Virustotal, Browse
                                              Reputation:low

                                              General

                                              Target ID:13
                                              Start time:11:11:39
                                              Start date:28/01/2022
                                              Path:C:\Users\user\Contacts\Iodqgrdelf.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Contacts\Iodqgrdelf.exe"
                                              Imagebase:0x400000
                                              File size:755200 bytes
                                              MD5 hash:6AE185CE909F0B66306100824C28BAD1
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:Borland Delphi
                                              Reputation:low

                                              General

                                              Target ID:19
                                              Start time:11:12:14
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\DpiScaling.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\DpiScaling.exe
                                              Imagebase:0x970000
                                              File size:77312 bytes
                                              MD5 hash:302B1BBDBF4D96BEE99C6B45680CEB5E
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.539784754.0000000000930000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000000.497404130.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.539833484.0000000004030000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000000.498207002.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000000.497789528.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000000.498613511.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.546473865.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              General

                                              Target ID:20
                                              Start time:11:12:25
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\logagent.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\System32\logagent.exe
                                              Imagebase:0xe70000
                                              File size:86016 bytes
                                              MD5 hash:E2036AC444AB4AD91EECC1A80FF7212F
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.581563268.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.576773570.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000002.577204129.00000000033B0000.00000040.00000800.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.521833051.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.522233517.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.521162250.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.521484053.0000000072480000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              General

                                              Target ID:21
                                              Start time:11:12:25
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\autochk.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\SysWOW64\autochk.exe
                                              Imagebase:0x1320000
                                              File size:871424 bytes
                                              MD5 hash:34236DB574405291498BCD13D20C42EB
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:22
                                              Start time:11:12:27
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\msiexec.exe
                                              Imagebase:0xdf0000
                                              File size:59904 bytes
                                              MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.577407800.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.576603089.0000000000BB0000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.576996398.0000000000CA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              General

                                              Target ID:23
                                              Start time:11:12:33
                                              Start date:28/01/2022
                                              Path:C:\Windows\SysWOW64\cscript.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\cscript.exe
                                              Imagebase:0x9f0000
                                              File size:143360 bytes
                                              MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.551797421.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Disassembly

                                              No disassembly