Windows Analysis Report New Enquiry 00111721.exe

Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.lasnochesdeluces.com/ng6c/"], "decoy": ["ayeghkarialmahdi.com", "xpatfone.com", "doctorsilkroad.com", "ivegotthat.com", "letsguthappy.com", "xrxgqf.website", "northlakelogisticspark.com", "iseewhatyourmean.space", "animalsmeme.net", "webuywholesalerhouses.com", "946abp.net", "fitnsfreak.com", "beautyloungeacademyllc.com", "chuyistudio.com", "koiclean.com", "oneupcobra.net", "cleversights.com", "viniciusshop.com", "roonkingagency.online", "pentooloffice.com", "dapaotang0.xyz", "dress-ads.com", "malgorzata-lac.com", "shoppingvipshopping.space", "mar.cruises", "motivational-hub.com", "4217193.win", "collegedalerealtor.com", "keylinktosolutions.com", "longlivesela.com", "xso94.top", "lalocandaonline.com", "thebootyteasisterhood.com", "varzeshbanovans.com", "resonators-and.com", "geodigraph.coop", "retrosvoiture.com", "qiuma.net", "caringhearts.asia", "mgav99.xyz", "daliborkokic.com", "wtfong.com", "caprockiic.com", "pgonline555.online", "baxin.net", "ezo-magik.store", "renewueye.com", "deepideaconsulting.com", "timmyben.com", "pavitrafabtech.com", "ohsodolc.com", "lemesdev.com", "senseyestore.com", "multivisaorepresentacao.com", "ferasan.com", "wholenessdiagram.com", "smelltraining.club", "lifestylearch.com", "harryrowlandart.com", "bigceme3.com", "rittmarshausen.net", "day-mutual.com", "inkedbreadco.com", "craftycatmull.com"]}

Multi AV Scanner detection for submitted file

Source: New Enquiry 00111721.exe

ReversingLabs: Detection: 22%

Yara detected FormBook

Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for domain / URL

Source: www.lasnochesdeluces.com/ng6c/

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nso646F.tmp\wyjyuhb.dll

ReversingLabs: Detection: 17%

Source: 11.2.explorer.exe.2f46910.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.New Enquiry 00111721.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.New Enquiry 00111721.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.2.New Enquiry 00111721.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 20.0.explorer.exe.b95796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.New Enquiry 00111721.exe.400000.3.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.New Enquiry 00111721.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.New Enquiry 00111721.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.New Enquiry 00111721.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.explorer.exe.503796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.New Enquiry 00111721.exe.400000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 20.0.explorer.exe.b95796c.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.New Enquiry 00111721.exe.400000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2

Source: New Enquiry 00111721.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: explorer.pdbUGP source: New Enquiry 00111721.exe, 00000001.00000002.427661921.0000000002A10000.00000040.00020000.sdmp
Source:	Binary string: C:\xampp\htdocs\Loct\081a57d6ffcd466ca618260040a8ca5f\Loader\dcvnkbmd\Release\dcvnkbmd.pdb source: New Enquiry 00111721.exe, 00000000.00000002.350531627.0000000000409000.00000004.00020000.sdmp, wyjyuhb.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: New Enquiry 00111721.exe, 00000000.00000003.348236429.0000000002990000.00000004.00000001.sdmp, New Enquiry 00111721.exe, 00000001.00000002.426720225.0000000000A8F000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.622099892.0000000004B00000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New Enquiry 00111721.exe, explorer.exe
Source:	Binary string: explorer.pdb source: New Enquiry 00111721.exe, 00000001.00000002.427661921.0000000002A10000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00405C22 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00402630 FindFirstFileA,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop esi
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.lasnochesdeluces.com/ng6c/

Source: explorer.exe, 00000014.00000003.533106717.0000000006F6E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: New Enquiry 00111721.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: New Enquiry 00111721.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.372895560.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: New Enquiry 00111721.exe

Source: New Enquiry 00111721.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00406043
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00404618
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_0040681A
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_1000FC33
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_1000E85E
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_1000706C
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_1000E0B6
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10015D2A
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10015D39
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_1000D5D2
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10003A4D
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10003F41
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_1000DB44
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10004359
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_1000478E
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10004BC3
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_100093DE
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0040102A
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00401030
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041C16A
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041C97E
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041BCEC
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00408C8B
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00408C90
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00402D87
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00402D90
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00402FB0
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041CFB1
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AB090
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A620A8
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C20A0
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A628EC
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A6E824
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51002
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA830
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099F900
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B4120
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A622AE
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A4FA2B
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB236
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C138B
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CEBB0
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CABD8
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A423E3
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5DBD2
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A503DA
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A62B28
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BAB40
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A3CB4F
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A841F
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5D466
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2581
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AD5E0
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A625DD
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A62D07
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00990D20
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A61D55
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A62EF7
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B6E30
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5D616
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A61FF1
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A6DFCE
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0040102A
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00401030
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041C16A
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041C97E
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041BCEC
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00408C8B
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00408C90
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00402D87
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00402D90
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00402FB0
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041CFB1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B3841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BED466
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B52581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B3D5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF25DD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B20D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF2D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF1D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF2EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B46E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BED616
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF1FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BFDFCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B520A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF20A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B3B090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF28EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4A830
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BFE824
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B499BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B44120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B2F900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF22AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4AEF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B236
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BDFA2B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5EBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5138B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BD23E3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE03DA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BEDBD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5ABD8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF2B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4A309
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BCCB4F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4AB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069C97E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069BCEC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00688C8B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00688C90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00682D87
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00682D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00682FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069CFB1

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04B2B150 appears 136 times
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: String function: 0041A4D0 appears 38 times
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: String function: 0099B150 appears 136 times

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_004185F0 NtCreateFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_004186A0 NtReadFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00418720 NtClose,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_004187D0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_004185EB NtCreateFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00418643 NtCreateFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041869A NtReadFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041871A NtClose,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009DB040 NtSuspendThread,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9A10 NtQuerySection,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009DA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009DAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9560 NtWriteFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D96D0 NtCreateKey,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9650 NtQueryValueKey,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009DA710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9770 NtSetInformationFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009DA770 NtOpenThread,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D9760 NtOpenProcess,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_004185F0 NtCreateFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_004186A0 NtReadFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00418720 NtClose,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_004187D0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_004185EB NtCreateFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_00418643 NtCreateFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041869A NtReadFile,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041871A NtClose,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B695D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B696E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B696D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B699A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B695F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B6AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69560 NtWriteFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B697A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B6A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B6A770 NtOpenThread,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69760 NtOpenProcess,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B698A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B698F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B6B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B699D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69A20 NtResumeThread,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69A10 NtQuerySection,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B6A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B69B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_006985F0 NtCreateFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_006986A0 NtReadFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00698720 NtClose,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_006987D0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_006985EB NtCreateFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_00698643 NtCreateFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069869A NtReadFile,
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069871A NtClose,

Source: New Enquiry 00111721.exe, 00000000.00000003.350110656.0000000002C3F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New Enquiry 00111721.exe
Source: New Enquiry 00111721.exe, 00000001.00000002.426892283.0000000000C1F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs New Enquiry 00111721.exe
Source: New Enquiry 00111721.exe, 00000001.00000002.429709034.0000000002D5E000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs New Enquiry 00111721.exe

Source: New Enquiry 00111721.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: New Enquiry 00111721.exe

ReversingLabs: Detection: 22%

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

File read: C:\Users\user\Desktop\New Enquiry 00111721.exe

Source: New Enquiry 00111721.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\New Enquiry 00111721.exe "C:\Users\user\Desktop\New Enquiry 00111721.exe"
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Process created: C:\Users\user\Desktop\New Enquiry 00111721.exe "C:\Users\user\Desktop\New Enquiry 00111721.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\New Enquiry 00111721.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Process created: C:\Users\user\Desktop\New Enquiry 00111721.exe "C:\Users\user\Desktop\New Enquiry 00111721.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\New Enquiry 00111721.exe"

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

File created: C:\Users\user\AppData\Local\Temp\nsd642F.tmp

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/2@0/0

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:528:120:WilError_01

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\explorer.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: explorer.pdbUGP source: New Enquiry 00111721.exe, 00000001.00000002.427661921.0000000002A10000.00000040.00020000.sdmp
Source:	Binary string: C:\xampp\htdocs\Loct\081a57d6ffcd466ca618260040a8ca5f\Loader\dcvnkbmd\Release\dcvnkbmd.pdb source: New Enquiry 00111721.exe, 00000000.00000002.350531627.0000000000409000.00000004.00020000.sdmp, wyjyuhb.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: New Enquiry 00111721.exe, 00000000.00000003.348236429.0000000002990000.00000004.00000001.sdmp, New Enquiry 00111721.exe, 00000001.00000002.426720225.0000000000A8F000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.622099892.0000000004B00000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: New Enquiry 00111721.exe, explorer.exe
Source:	Binary string: explorer.pdb source: New Enquiry 00111721.exe, 00000001.00000002.427661921.0000000002A10000.00000040.00020000.sdmp

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10008735 push ecx; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041B832 push eax; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041B83B push eax; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041B89C push eax; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041B399 push ecx; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041CE1E push 4B5FDABCh; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0041B7E5 push eax; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009ED0D1 push ecx; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041B832 push eax; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041B83B push eax; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041B89C push eax; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041B399 push ecx; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041CE1E push 4B5FDABCh; ret
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_1_0041B7E5 push eax; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B7D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069B83B push eax; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069B832 push eax; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069B89C push eax; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069B399 push ecx; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069C48D push edi; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069CE1E push 4B5FDABCh; ret
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_0069B7E5 push eax; ret

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

File created: C:\Users\user\AppData\Local\Temp\nso646F.tmp\wyjyuhb.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\explorer.exe	Process created: /c del "C:\Users\user\Desktop\New Enquiry 00111721.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: /c del "C:\Users\user\Desktop\New Enquiry 00111721.exe"

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000000688614 second address: 000000000068861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 00000000006889AE second address: 00000000006889B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 1_2_004088E0 rdtsc

Source: C:\Windows\explorer.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00405C22 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_00402630 FindFirstFileA,

Source: explorer.exe, 00000005.00000000.381551435.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000005.00000000.397488888.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000014.00000000.506128928.0000000004CEF000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA3
Source: explorer.exe, 00000014.00000003.554461834.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.571838061.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: explorer.exe, 00000005.00000000.391798191.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.525783542.000000000723F000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 00000014.00000003.536113825.0000000006FA3000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000014.00000003.529443321.0000000006FDC000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B%
Source: explorer.exe, 00000014.00000000.580605339.0000000010F65000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_cw5n1h2txyewyFH1
Source: explorer.exe, 00000014.00000003.581194059.0000000006F62000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_
Source: explorer.exe, 00000014.00000003.554461834.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000014.00000003.554461834.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
Source: explorer.exe, 00000014.00000000.581130430.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}{
Source: explorer.exe, 00000014.00000003.514193391.0000000006F00000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.569670251.0000000006F62000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000003.534781638.0000000006F63000.00000004.00000001.sdmp	Binary or memory string: 806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000003.532189334.0000000006F65000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BV
Source: explorer.exe, 00000014.00000003.514111722.0000000006EC1000.00000004.00000001.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000014.00000003.524452288.0000000006F20000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000014.00000003.530205388.0000000006FC4000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BI
Source: explorer.exe, 00000014.00000003.558542461.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.532172405.0000000006F63000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BL
Source: explorer.exe, 00000014.00000003.514111722.0000000006EC1000.00000004.00000001.sdmp	Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000014.00000003.529121109.0000000006F63000.00000004.00000001.sdmp	Binary or memory string: 806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.525783542.000000000723F000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: explorer.exe, 00000014.00000000.580605339.0000000010F65000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lState
Source: explorer.exe, 00000014.00000000.569670251.0000000006F62000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B?M
Source: explorer.exe, 00000014.00000003.525281799.0000000006FC5000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BD
Source: explorer.exe, 00000014.00000003.571952907.00000000111F1000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000003.554461834.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000014.00000003.570181382.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g
Source: explorer.exe, 00000014.00000003.571952907.00000000111F1000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BG
Source: explorer.exe, 00000014.00000000.525783542.000000000723F000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: explorer.exe, 00000005.00000000.372895560.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000014.00000003.518375540.0000000006FD9000.00000004.00000001.sdmp	Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000014.00000003.516197487.0000000006E2C000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000370@v
Source: explorer.exe, 00000014.00000000.580605339.0000000010F65000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}soft.Windows.ContentDeliveryManager_cw5n1h2txyewy
Source: explorer.exe, 00000014.00000003.530265662.0000000006F63000.00000004.00000001.sdmp	Binary or memory string: dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000014.00000003.525155298.0000000006FCF000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000000.580605339.0000000010F65000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P1
Source: explorer.exe, 00000014.00000000.559248021.0000000004CEF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000E8
Source: explorer.exe, 00000014.00000003.534781638.0000000006F63000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B[
Source: explorer.exe, 00000014.00000000.580605339.0000000010F65000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Microsoft.WBQ
Source: explorer.exe, 00000014.00000003.524452288.0000000006F20000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.581194059.0000000006F62000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA
Source: explorer.exe, 00000014.00000003.534781638.0000000006F63000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000003.563528233.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000014.00000003.518062390.0000000006ECA000.00000004.00000001.sdmp	Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000005.00000000.397195325.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000014.00000003.499383977.000000000723F000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000014.00000000.566798248.0000000006E82000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000C
Source: explorer.exe, 00000014.00000003.570181382.00000000111CB000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}x
Source: explorer.exe, 00000014.00000000.580605339.0000000010F65000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AppData
Source: explorer.exe, 00000014.00000003.516197487.0000000006E2C000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.397488888.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000014.00000003.534781638.0000000006F63000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_10006985 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_10002AD0 wpjetylrhe,GetProcessHeap,RtlAllocateHeap,VirtualProtect,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 1_2_004088E0 rdtsc

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10015732 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10015946 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_100159F7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10015A36 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 0_2_10015A74 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009958EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A169A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A241E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00995210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A24257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A423E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A423E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A423E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A1A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CF527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CF527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CF527 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A43D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009C8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A51608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_0099E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009A8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009D37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009CE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_00A68F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Code function: 1_2_009AFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B3849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BA6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B4746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BBC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BBC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B51DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B51DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B51DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BF05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B535A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B5FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B52581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B52581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B52581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B52581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B22D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BE2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BD8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B3D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04B3D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BEFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BEFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BEFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 11_2_04BEFDE2 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 1_2_00409B50 LdrLoadDll,

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_100083DE SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: A10000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: unknown protection: read write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Memory written: C:\Users\user\Desktop\New Enquiry 00111721.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Thread register set: target process: 3440
Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Thread register set: target process: 3440
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 3440
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 1360

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe	Process created: C:\Users\user\Desktop\New Enquiry 00111721.exe "C:\Users\user\Desktop\New Enquiry 00111721.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\New Enquiry 00111721.exe"

Source: explorer.exe, 00000014.00000000.505967047.0000000004CA7000.00000004.00000001.sdmp	Binary or memory string: Progman0<
Source: explorer.exe, 00000014.00000000.556144304.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Program ManagerLO
Source: New Enquiry 00111721.exe, 00000001.00000002.427661921.0000000002A10000.00000040.00020000.sdmp, explorer.exe, 00000005.00000000.381551435.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000002.621796049.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.556144304.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.373328926.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000002.621796049.0000000003220000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.553970845.0000000001288000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: New Enquiry 00111721.exe, 00000001.00000002.427661921.0000000002A10000.00000040.00020000.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000005.00000000.373328926.0000000000EE0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 0000000B.00000002.621796049.0000000003220000.00000002.00020000.sdmp	Binary or memory string: Program Manager</
Source: explorer.exe, 00000005.00000000.373328926.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.502604417.0000000001940000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_1000741E cpuid

Source: C:\Users\user\Desktop\New Enquiry 00111721.exe

Code function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Source: explorer.exe, 00000014.00000000.565436128.0000000006D3E000.00000004.00000001.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New Enquiry 00111721.exe.2950000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.New Enquiry 00111721.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.New Enquiry 00111721.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection512	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery271	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection512	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information3	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	File Deletion1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
New Enquiry 00111721.exe	23%	ReversingLabs	Win32.Spyware.Noon

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nso646F.tmp\wyjyuhb.dll	18%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
11.2.explorer.exe.2f46910.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.0.New Enquiry 00111721.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.New Enquiry 00111721.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
1.2.New Enquiry 00111721.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.New Enquiry 00111721.exe.2950000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
20.0.explorer.exe.b95796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.0.New Enquiry 00111721.exe.400000.3.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
1.0.New Enquiry 00111721.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.1.New Enquiry 00111721.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.New Enquiry 00111721.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
11.2.explorer.exe.503796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.0.New Enquiry 00111721.exe.400000.1.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
1.2.New Enquiry 00111721.exe.2a10000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.0.explorer.exe.a10000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
20.0.explorer.exe.b95796c.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
11.2.explorer.exe.a10000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
1.0.New Enquiry 00111721.exe.400000.2.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.lasnochesdeluces.com/ng6c/	5%	Virustotal		Browse
www.lasnochesdeluces.com/ng6c/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.lasnochesdeluces.com/ng6c/	true	5%, Virustotal, Browse Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000000.372895560.000000000095C000.00000004.00000020.sdmp	false	high
http://nsis.sf.net/NSIS_Error	New Enquiry 00111721.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	New Enquiry 00111721.exe	false	high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	523559
Start date:	17.11.2021
Start time:	12:18:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	New Enquiry 00111721.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/2@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 28.2% (good quality ratio 25.7%) Quality average: 74.7% Quality standard deviation: 31.1%
HCA Information:	Successful, ratio: 87% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, WMIADAP.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:20:17	API Interceptor	345x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nso646F.tmp\wyjyuhb.dll Download File
Process:	C:\Users\user\Desktop\New Enquiry 00111721.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	96768
Entropy (8bit):	6.470863480388857
Encrypted:	false
SSDEEP:	1536:W+6jzRjsu0zoQY/f9tx9Xz3oEh2MvPj8p2jatWRnsWjcdAtF:eKUPjj3h24PiEIAtF
MD5:	F19C171801B9A583C0EB9A259CCF711B
SHA1:	42DBAA2A9BAEF4E58664F72B4BFDBBE44823C531
SHA-256:	2D60D1344390233AFCD141A2C6153A41AEA4E7CD0D3373452D8163AB1F08D09A
SHA-512:	86E514EC6DC9FC789C864806A19D993F006208649BDA9A18D10AD7FCC60E84217FC169EAC998E0CF06BD691F1315C35CFC2D449C96F3384E4C73F9EAE4EB1614
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4...U..U..U.L.4..U......U...,..U......U.7...U.7..U..U.U.E....U.E...U.@....U.E...U.Rich.U.........PE..L......a...........!................................................................................................pE..L....E...................................... ?..T...........................x?..@............................................text............................... ..`.rdata...N.......P..................@..@.data...TQ...P...4...D..............@....rsrc................x..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ok4e5d0nvzvmv Download File
Process:	C:\Users\user\Desktop\New Enquiry 00111721.exe
File Type:	data
Category:	dropped
Size (bytes):	217921
Entropy (8bit):	7.993788822968784
Encrypted:	true
SSDEEP:	6144:nd1ZDoM/5oe1HmckitKQtaJv0xVoqH51vn3ivHd/RxEyy2V:nd1ZDf/5Jk2KQgh0xVoqH51PORxE9k
MD5:	455AE52D402FEDC040826AB0194BF8AF
SHA1:	8A4571B845F061482B2512EF4734EB0E0565D848
SHA-256:	C452F329EAF114D6156E0AFD4F9EBFDC8B045B6A06A878D7FF37C72D1EC02679
SHA-512:	6AB2EB65786AF323268053926E29E6545615B4332FAE8801A7AE87D59A75D6C1FD70C6154F231261239B89793E03D56A808194A8BC045B310AC376FBF2AD6351
Malicious:	false
Reputation:	low
Preview:	i....DS.-cQ..._."kT-9X_..{C..i...k3...I.....9.6."..,......7..}R....X......!i.W-T .4.......].X...."..............nbu$u.....40.Y,Q..d.....+.g.o..24M.....*...Sm#.I.%...h.XXU(....f..X:..p+.46X...N....k.S..\....>+4..a-.......H.+..$%U..\|.V..;0..e8JC..6.8..DS.-.e.kBT.~.k....T...Q.i..#.kz...I.....9.6."..,....D..7..........U"Kn..d..$...V.....sw.../S..d.R.......v66o.aH$u......f.e..9.......Fe. ..X.mREd.Me.\.gh..K.....}./..j...f...:..F+U...N....u.......igt+4..a-...\....+.;;$%U..\| V..f0....8JC.....DS.-om.k.T.~.k..]..T....i...k3...I.....9.6."..,....D..7..........U"Kn..d..$...V.....sw.../S..d.R.......v66o.aH$u......f.e..9.......Fe. ..X.mREd.Me.\.gh..K.....}.U(....f.X:..F+U[....N....u.......ig>+4..a-...\....+.;;$%U..\| V..f0....8JC.....DS.-om.k.T.~.k..]..T....i...k3...I.....9.6."..,....D..7..........U"Kn..d..$...V.....sw.../S..d.R.......v66o.aH$u......f.e..9.......Fe. ..X.mREd.Me.\.gh..K.....}.U(....f.X:..F+U[....N....u.......ig>+4..a-...\....+

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.367293058252351
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New Enquiry 00111721.exe
File size:	472463
MD5:	f8bf5eb015737153c50d0a76c778ca39
SHA1:	293e1fe54312d00ee029676abeb29eb947fec461
SHA256:	59139210e96ea7a1ca64dbb343b225be422bc0d3c66a673959b3e8e076bceea7
SHA512:	5160476707497d288d771b072352545001cb3a67bf2a2158c90daa9b575d9b08cd7b4c815fa19c06d55c5d6a2ee74475d539154c2bc37d7cf5ee5ca96af1adba
SSDEEP:	6144:6GiJKbTqGpM25avTMIz/s1DPo2DSd0jbqH51vn3L5NPEaNEyy5Nta7Mv:kv1LMQ02wbqH51PdNs4E9vtaQv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

File Icon


Icon Hash:	b28e969682a2a6ba

Static PE Info

General
Entrypoint:	0x4030e3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409158h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007F667055F1E8h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F90h
call dword ptr [00407158h]
push 0040914Ch
push 0042E360h
call 00007F667055EE9Fh
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007F667055EE8Dh
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007F667055C6CCh
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007F667055E980h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F667055C725h
cmp cl, 00000020h
jne 00007F667055C6C8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F667055C6BCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x2b130	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5b68	0x5c00	False	0.67722486413	data	6.48746502716	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	False	0.4337890625	data	5.04904254867	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	False	0.58203125	data	4.76995537906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2f000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x2b130	0x2b200	False	0.201347373188	data	5.37950448469	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x37310	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x47b38	0x94a8	data	English	United States
RT_ICON	0x50fe0	0x5488	data	English	United States
RT_ICON	0x56468	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 251658240	English	United States
RT_ICON	0x5a690	0x3165	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x5d7f8	0x25a8	data	English	United States
RT_ICON	0x5fda0	0x10a8	data	English	United States
RT_ICON	0x60e48	0x988	data	English	United States
RT_ICON	0x617d0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x61c38	0x100	data	English	United States
RT_DIALOG	0x61d38	0x11c	data	English	United States
RT_DIALOG	0x61e58	0x60	data	English	United States
RT_GROUP_ICON	0x61eb8	0x84	data	English	United States
RT_MANIFEST	0x61f40	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

• New Enquiry 00111721.exe
• New Enquiry 00111721.exe
• explorer.exe
• explorer.exe
• cmd.exe
• conhost.exe
• explorer.exe

Click to jump to process

System Behavior

Analysis Process: New Enquiry 00111721.exe PID: 4848 Parent PID: 5776

General

Start time:	12:19:08
Start date:	17/11/2021
Path:	C:\Users\user\Desktop\New Enquiry 00111721.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Enquiry 00111721.exe"
Imagebase:	0x400000
File size:	472463 bytes
MD5 hash:	F8BF5EB015737153C50D0A76C778CA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.353120447.0000000002950000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

General

Start time:	12:19:11
Start date:	17/11/2021
Path:	C:\Users\user\Desktop\New Enquiry 00111721.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\New Enquiry 00111721.exe"
Imagebase:	0x400000
File size:	472463 bytes
MD5 hash:	F8BF5EB015737153C50D0A76C778CA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.426191916.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.347856400.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.426450696.00000000008F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.350212118.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.426418485.00000000008C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.349692127.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

File Activities

File Read

Analysis Process: explorer.exe PID: 3440 Parent PID: 4896

General

Start time:	12:19:15
Start date:	17/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.384169148.000000000F4AF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.400260927.000000000F4AF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: explorer.exe PID: 2156 Parent PID: 3440

General

Start time:	12:19:46
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xa10000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.613367063.0000000000680000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.616098976.0000000000990000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.616582319.00000000009E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

File Activities

File Read

Analysis Process: cmd.exe PID: 3084 Parent PID: 2156

General

Start time:	12:19:50
Start date:	17/11/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\New Enquiry 00111721.exe"
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

File Activities

Analysis Process: conhost.exe PID: 528 Parent PID: 3084

General

Start time:	12:19:52
Start date:	17/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: explorer.exe PID: 1360 Parent PID: 6188

General

Start time:	12:20:16
Start date:	17/11/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

File Activities