Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l46MzH3L15.exe

Overview

General Information

Sample name:l46MzH3L15.exe
renamed because original name is a hash value
Original sample name:cfa42efcd11c6fc3cecbc501ab4091b9d6ae7b86fe9b944b636764ae477f9abd.exe
Analysis ID:1632230
MD5:8644175cee5b47c89006f5011dd4a509
SHA1:648b8965cd983668b68610b2dd9cc914dc7d993c
SHA256:cfa42efcd11c6fc3cecbc501ab4091b9d6ae7b86fe9b944b636764ae477f9abd
Tags:exeGuLoadersigneduser-adrian__luca
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious PE digital signature
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • l46MzH3L15.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\l46MzH3L15.exe" MD5: 8644175CEE5B47C89006F5011DD4A509)
    • l46MzH3L15.exe (PID: 772 cmdline: "C:\Users\user\Desktop\l46MzH3L15.exe" MD5: 8644175CEE5B47C89006F5011DD4A509)
      • vZopYmgwbaC.exe (PID: 1676 cmdline: "C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\akXcbP68lzn.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • DpiScaling.exe (PID: 1784 cmdline: "C:\Windows\SysWOW64\DpiScaling.exe" MD5: D44D3A0F5E53F6ECC5C6232930CFCC5E)
          • vZopYmgwbaC.exe (PID: 3868 cmdline: "C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\lyFU7DVgUtCLk.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.3815876314.0000000002B70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.3816367012.00000000049E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3816408141.0000000004A30000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.3715913260.0000000035FA0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000000.00000002.3360633148.0000000004D50000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
            Click to see the 2 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T21:20:49.630935+010020507451Malware Command and Control Activity Detected192.168.2.54970292.60.36.19080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-07T21:20:18.980838+010028032702Potentially Bad Traffic192.168.2.549700142.250.185.142443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: l46MzH3L15.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: l46MzH3L15.exeVirustotal: Detection: 66%Perma Link
            Source: l46MzH3L15.exeReversingLabs: Detection: 50%
            Yara detected FormBook
            Source: Yara matchFile source: 0000000C.00000002.3815876314.0000000002B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816367012.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816408141.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3715913260.0000000035FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3716337808.0000000036550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3816817006.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: l46MzH3L15.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.5:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49701 version: TLS 1.2
            Source: l46MzH3L15.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: mshtml.pdb source: l46MzH3L15.exe, 0000000A.00000001.3358783259.0000000000649000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: wntdll.pdbUGP source: l46MzH3L15.exe, 0000000A.00000003.3578462738.0000000035EA2000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.0000000036200000.00000040.00001000.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3581227595.000000003605A000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.000000003639E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: l46MzH3L15.exe, l46MzH3L15.exe, 0000000A.00000003.3578462738.0000000035EA2000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.0000000036200000.00000040.00001000.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3581227595.000000003605A000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.000000003639E000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe
            Source: Binary string: DpiScaling.pdb source: l46MzH3L15.exe, 0000000A.00000003.3645799092.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686963305.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645730739.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645695359.00000000061DC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: l46MzH3L15.exe, 0000000A.00000001.3358783259.0000000000649000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: DpiScaling.pdbGCTL source: l46MzH3L15.exe, 0000000A.00000003.3645799092.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686963305.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645730739.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645695359.00000000061DC000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A19
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004065EA FindFirstFileA,FindClose,0_2_004065EA
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 4x nop then xor eax, eax12_2_02B79ED0

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49702 -> 92.60.36.190:80
            Source: Joe Sandbox ViewIP Address: 92.60.36.190 92.60.36.190
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49700 -> 142.250.185.142:443
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ON HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ON&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /5jv6/?nBs8z2=5ctOtSKPMRcO7cs+dYiv8/a8QEXlvMVF785jCSG05kbuL3T9u8F1AtDf+zVyUI0a+4SHPpw6ujRT3/F3P6QEMozNK47uZKcXRaD78LkGLIVOEI7HLIlvIzip4sIzdLlAIQ==&kB98v=jvFhsxipQFA0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usHost: www.sparkletime.cloudConnection: closeUser-Agent: Mozilla/4.0 (MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ON HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /download?id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ON&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /5jv6/?nBs8z2=5ctOtSKPMRcO7cs+dYiv8/a8QEXlvMVF785jCSG05kbuL3T9u8F1AtDf+zVyUI0a+4SHPpw6ujRT3/F3P6QEMozNK47uZKcXRaD78LkGLIVOEI7HLIlvIzip4sIzdLlAIQ==&kB98v=jvFhsxipQFA0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-usHost: www.sparkletime.cloudConnection: closeUser-Agent: Mozilla/4.0 (MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: drive.usercontent.google.com
            Source: global trafficDNS traffic detected: DNS query: www.sparkletime.cloud
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 20:20:49 GMTServer: ApacheContent-Length: 267Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 70 61 72 6b 6c 65 74 69 6d 65 2e 63 6c 6f 75 64 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.sparkletime.cloud Port 80</address></body></html>
            Source: l46MzH3L15.exe, l46MzH3L15.exe, 00000000.00000002.3359029269.000000000040A000.00000004.00000001.01000000.00000003.sdmp, l46MzH3L15.exe, 00000000.00000000.1351440177.000000000040A000.00000008.00000001.01000000.00000003.sdmp, l46MzH3L15.exe, 0000000A.00000000.3357036902.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: l46MzH3L15.exe, 00000000.00000002.3359029269.000000000040A000.00000004.00000001.01000000.00000003.sdmp, l46MzH3L15.exe, 00000000.00000000.1351440177.000000000040A000.00000008.00000001.01000000.00000003.sdmp, l46MzH3L15.exe, 0000000A.00000000.3357036902.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: l46MzH3L15.exe, 0000000A.00000001.3358783259.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
            Source: l46MzH3L15.exe, 0000000A.00000001.3358783259.00000000005F2000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
            Source: l46MzH3L15.exe, 0000000A.00000001.3358783259.00000000005F2000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
            Source: l46MzH3L15.exe, 0000000A.00000003.3510351071.0000000006191000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3510286095.0000000006191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: l46MzH3L15.exe, 0000000A.00000002.3685401877.0000000006128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/
            Source: l46MzH3L15.exe, 0000000A.00000002.3685401877.0000000006128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/B
            Source: l46MzH3L15.exe, 0000000A.00000002.3685401877.0000000006163000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715549711.0000000035620000.00000004.00001000.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3685401877.0000000006128000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ON
            Source: l46MzH3L15.exe, 0000000A.00000002.3685401877.0000000006163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ONZ
            Source: l46MzH3L15.exe, 0000000A.00000003.3579205206.000000000618D000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000618D000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000618D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/
            Source: l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000618D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ON&export=download
            Source: l46MzH3L15.exe, 0000000A.00000003.3579205206.000000000618D000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000618D000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000618D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1DHWOos19D1wjZ333l2k_yd1rz3iZT9ON&export=downloadfY
            Source: l46MzH3L15.exe, 0000000A.00000001.3358783259.0000000000649000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
            Source: l46MzH3L15.exe, 0000000A.00000003.3510351071.0000000006191000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3510286095.0000000006191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com
            Source: l46MzH3L15.exe, 0000000A.00000003.3510351071.0000000006191000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3510286095.0000000006191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com;report-uri
            Source: l46MzH3L15.exe, 0000000A.00000003.3510351071.0000000006191000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3510286095.0000000006191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: l46MzH3L15.exe, 0000000A.00000003.3510351071.0000000006191000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3510286095.0000000006191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com
            Source: l46MzH3L15.exe, 0000000A.00000003.3510351071.0000000006191000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3510286095.0000000006191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.5:49700 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 216.58.206.65:443 -> 192.168.2.5:49701 version: TLS 1.2
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004054D9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054D9

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000C.00000002.3815876314.0000000002B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816367012.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816408141.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3715913260.0000000035FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3716337808.0000000036550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3816817006.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362735C0 NtCreateMutant,LdrInitializeThunk,10_2_362735C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36272DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_36272DF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD4650 NtSuspendThread,LdrInitializeThunk,12_2_04CD4650
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD4340 NtSetContextThread,LdrInitializeThunk,12_2_04CD4340
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_04CD2CA0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2C60 NtCreateKey,LdrInitializeThunk,12_2_04CD2C60
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04CD2C70
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2DD0 NtDelayExecution,LdrInitializeThunk,12_2_04CD2DD0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_04CD2DF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2D10 NtMapViewOfSection,LdrInitializeThunk,12_2_04CD2D10
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_04CD2D30
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2EE0 NtQueueApcThread,LdrInitializeThunk,12_2_04CD2EE0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_04CD2E80
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2FE0 NtCreateFile,LdrInitializeThunk,12_2_04CD2FE0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2FB0 NtResumeThread,LdrInitializeThunk,12_2_04CD2FB0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2F30 NtCreateSection,LdrInitializeThunk,12_2_04CD2F30
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2AD0 NtReadFile,LdrInitializeThunk,12_2_04CD2AD0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2BE0 NtQueryValueKey,LdrInitializeThunk,12_2_04CD2BE0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04CD2BF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2B60 NtClose,LdrInitializeThunk,12_2_04CD2B60
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD35C0 NtCreateMutant,LdrInitializeThunk,12_2_04CD35C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD39B0 NtGetContextThread,LdrInitializeThunk,12_2_04CD39B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2CC0 NtQueryVirtualMemory,12_2_04CD2CC0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2CF0 NtOpenProcess,12_2_04CD2CF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2C00 NtQueryInformationProcess,12_2_04CD2C00
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2DB0 NtEnumerateKey,12_2_04CD2DB0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2D00 NtSetInformationFile,12_2_04CD2D00
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2EA0 NtAdjustPrivilegesToken,12_2_04CD2EA0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2E30 NtWriteVirtualMemory,12_2_04CD2E30
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2F90 NtProtectVirtualMemory,12_2_04CD2F90
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2FA0 NtQuerySection,12_2_04CD2FA0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2F60 NtCreateProcessEx,12_2_04CD2F60
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2AF0 NtWriteFile,12_2_04CD2AF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2AB0 NtWaitForSingleObject,12_2_04CD2AB0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2B80 NtQueryInformationFile,12_2_04CD2B80
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2BA0 NtEnumerateValueKey,12_2_04CD2BA0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD3090 NtSetValueKey,12_2_04CD3090
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD3010 NtOpenDirectoryObject,12_2_04CD3010
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD3D70 NtOpenThread,12_2_04CD3D70
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD3D10 NtOpenProcessToken,12_2_04CD3D10
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B996E0 NtReadFile,12_2_02B996E0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B99570 NtCreateFile,12_2_02B99570
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B99870 NtClose,12_2_02B99870
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B999E0 NtAllocateVirtualMemory,12_2_02B999E0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004033A2 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A2
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004069730_2_00406973
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_6D1E1B280_2_6D1E1B28
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3628563010_2_36285630
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362F16CC10_2_362F16CC
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362FF7B010_2_362FF7B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362FF43F10_2_362FF43F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623146010_2_36231460
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4E4F612_2_04D4E4F6
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5244612_2_04D52446
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4442012_2_04D44420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D6059112_2_04D60591
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA053512_2_04CA0535
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBC6E012_2_04CBC6E0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9C7C012_2_04C9C7C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC475012_2_04CC4750
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA077012_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3200012_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D581CC12_2_04D581CC
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D541A212_2_04D541A2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D601AA12_2_04D601AA
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D2815812_2_04D28158
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9010012_2_04C90100
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3A11812_2_04D3A118
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D202C012_2_04D202C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4027412_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D603E612_2_04D603E6
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE3F012_2_04CAE3F0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5A35212_2_04D5A352
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C90CF212_2_04C90CF2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB512_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0C0012_2_04CA0C00
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9ADE012_2_04C9ADE0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB8DBF12_2_04CB8DBF
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAAD0012_2_04CAAD00
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3CD1F12_2_04D3CD1F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5EEDB12_2_04D5EEDB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5CE9312_2_04D5CE93
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB2E9012_2_04CB2E90
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0E5912_2_04CA0E59
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5EE2612_2_04D5EE26
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C92FC812_2_04C92FC8
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CACFE012_2_04CACFE0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1EFA012_2_04D1EFA0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D14F4012_2_04D14F40
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D42F3012_2_04D42F30
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CE2F2812_2_04CE2F28
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC0F3012_2_04CC0F30
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE8F012_2_04CCE8F0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C868B812_2_04C868B8
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA284012_2_04CA2840
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAA84012_2_04CAA840
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA29A012_2_04CA29A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D6A9A612_2_04D6A9A6
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB696212_2_04CB6962
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9EA8012_2_04C9EA80
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D56BD712_2_04D56BD7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5AB4012_2_04D5AB40
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9146012_2_04C91460
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5F43F12_2_04D5F43F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3D5B012_2_04D3D5B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5757112_2_04D57571
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D516CC12_2_04D516CC
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5F7B012_2_04D5F7B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA70C012_2_04CA70C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4F0CC12_2_04D4F0CC
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5F0E012_2_04D5F0E0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D570E912_2_04D570E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAB1B012_2_04CAB1B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD516C12_2_04CD516C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8F17212_2_04C8F172
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D6B16B12_2_04D6B16B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBB2C012_2_04CBB2C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D412ED12_2_04D412ED
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA52A012_2_04CA52A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CE739A12_2_04CE739A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8D34C12_2_04C8D34C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5132D12_2_04D5132D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5FCF212_2_04D5FCF2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D19C3212_2_04D19C32
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBFDC012_2_04CBFDC0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA3D4012_2_04CA3D40
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D51D5A12_2_04D51D5A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D57D7312_2_04D57D73
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA9EB012_2_04CA9EB0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA1F9212_2_04CA1F92
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5FFB112_2_04D5FFB1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5FF0912_2_04D5FF09
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA38E012_2_04CA38E0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0D80012_2_04D0D800
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA995012_2_04CA9950
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBB95012_2_04CBB950
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3591012_2_04D35910
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4DAC612_2_04D4DAC6
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CE5AA012_2_04CE5AA0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D41AA312_2_04D41AA3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3DAAC12_2_04D3DAAC
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D57A4612_2_04D57A46
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5FA4912_2_04D5FA49
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D13A6C12_2_04D13A6C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D15BF012_2_04D15BF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CDDBF912_2_04CDDBF9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBFB8012_2_04CBFB80
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5FB7612_2_04D5FB76
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B8220012_2_02B82200
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7B2B012_2_02B7B2B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7D2D012_2_02B7D2D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7B3F612_2_02B7B3F6
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7D0B012_2_02B7D0B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7B40012_2_02B7B400
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B83AC012_2_02B83AC0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B83AC212_2_02B83AC2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B858B012_2_02B858B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B9BE5012_2_02B9BE50
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 04CE7E54 appears 102 times
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 04D1F290 appears 105 times
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 04C8B970 appears 280 times
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 04D0EA12 appears 86 times
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 04CD5130 appears 58 times
            Source: l46MzH3L15.exeStatic PE information: invalid certificate
            Source: l46MzH3L15.exe, 00000000.00000000.1351508402.0000000000449000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevirkelighedssansen.exe8 vs l46MzH3L15.exe
            Source: l46MzH3L15.exe, 0000000A.00000003.3581227595.0000000036187000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs l46MzH3L15.exe
            Source: l46MzH3L15.exe, 0000000A.00000002.3715963073.000000003632D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs l46MzH3L15.exe
            Source: l46MzH3L15.exe, 0000000A.00000003.3645799092.00000000061EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDPISCALING.EXEj% vs l46MzH3L15.exe
            Source: l46MzH3L15.exe, 0000000A.00000003.3578462738.0000000035FC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs l46MzH3L15.exe
            Source: l46MzH3L15.exe, 0000000A.00000000.3357092317.0000000000449000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamevirkelighedssansen.exe8 vs l46MzH3L15.exe
            Source: l46MzH3L15.exe, 0000000A.00000003.3645695359.00000000061DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDPISCALING.EXEj% vs l46MzH3L15.exe
            Source: l46MzH3L15.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@5/27@3/3
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004033A2 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A2
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_00404789 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404789
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_00402198 CoCreateInstance,MultiByteToWideChar,0_2_00402198
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile created: C:\Users\user\AppData\Roaming\objectivisticJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile created: C:\Users\user\AppData\Local\Temp\nso7692.tmpJump to behavior
            Source: l46MzH3L15.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: l46MzH3L15.exeVirustotal: Detection: 66%
            Source: l46MzH3L15.exeReversingLabs: Detection: 50%
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile read: C:\Users\user\Desktop\l46MzH3L15.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\l46MzH3L15.exe "C:\Users\user\Desktop\l46MzH3L15.exe"
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess created: C:\Users\user\Desktop\l46MzH3L15.exe "C:\Users\user\Desktop\l46MzH3L15.exe"
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess created: C:\Users\user\Desktop\l46MzH3L15.exe "C:\Users\user\Desktop\l46MzH3L15.exe"Jump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"Jump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile written: C:\Users\user\resuscitant\Kusser\Cofane.iniJump to behavior
            Source: l46MzH3L15.exeStatic file information: File size 1101592 > 1048576
            Source: l46MzH3L15.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: mshtml.pdb source: l46MzH3L15.exe, 0000000A.00000001.3358783259.0000000000649000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: wntdll.pdbUGP source: l46MzH3L15.exe, 0000000A.00000003.3578462738.0000000035EA2000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.0000000036200000.00000040.00001000.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3581227595.000000003605A000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.000000003639E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: l46MzH3L15.exe, l46MzH3L15.exe, 0000000A.00000003.3578462738.0000000035EA2000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.0000000036200000.00000040.00001000.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3581227595.000000003605A000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3715963073.000000003639E000.00000040.00001000.00020000.00000000.sdmp, DpiScaling.exe
            Source: Binary string: DpiScaling.pdb source: l46MzH3L15.exe, 0000000A.00000003.3645799092.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686963305.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645730739.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645695359.00000000061DC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: l46MzH3L15.exe, 0000000A.00000001.3358783259.0000000000649000.00000020.00000001.01000000.00000008.sdmp
            Source: Binary string: DpiScaling.pdbGCTL source: l46MzH3L15.exe, 0000000A.00000003.3645799092.00000000061EE000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000002.3686963305.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645730739.00000000061DA000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3645695359.00000000061DC000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.3360633148.0000000004D50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_6D1E1B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6D1E1B28
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C909AD push ecx; mov dword ptr [esp], ecx12_2_04C909B6
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7E710 push esi; iretd 12_2_02B7E717
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7E705 push esi; iretd 12_2_02B7E717
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B84B51 pushfd ; ret 12_2_02B84B55
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B90947 push edx; iretd 12_2_02B9094B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7F32D push C0339F95h; ret 12_2_02B7F332
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B8531D push FFFFFFE6h; retf 12_2_02B85328
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B8569C push es; ret 12_2_02B8569D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7F658 push eax; iretd 12_2_02B7F659
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B854E2 push cs; iretd 12_2_02B854E4
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B7F595 push cs; retf 12_2_02B7F5B4
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B8BA1A push edi; iretd 12_2_02B8BA1B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B85834 push ds; ret 12_2_02B85835
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B83800 push ds; retf 12_2_02B83819
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B81CAD push ebp; iretd 12_2_02B81CAE
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B85DF0 push edi; iretd 12_2_02B85DF9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_02B85DE8 push edi; iretd 12_2_02B85DF9

            Persistence and Installation Behavior

            barindex
            AI detected suspicious PE digital signature
            Source: Initial sampleJoe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate where issuer matches subject exactly 2) Unusual/suspicious organization name 'Homogeniseringers' that appears unprofessional 3) Suspicious email domain 'Kolonneblokken.Dy' which is not a standard TLD 4) Certificate validation explicitly failed with untrusted root certificate 5) Compilation date (March 30, 2024) is in the future compared to current date (March 7, 2025), suggesting timestamp manipulation 6) Organization unit name 'Fngselsbreve Telecomputing Hjemegne' contains unusual characters and appears randomly generated 7) While US location is given, the naming conventions and language patterns suggest deception. The combination of a self-signed certificate, future compilation date, and clearly suspicious naming patterns strongly indicates this is a malicious file attempting to appear legitimate.
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile created: C:\Users\user\AppData\Local\Temp\nso84CB.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\l46MzH3L15.exeFile created: C:\Users\user\AppData\Local\Temp\nso84CB.tmp\LangDLL.dllJump to dropped file
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\DpiScaling.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\l46MzH3L15.exeAPI/Special instruction interceptor: Address: 55E9D05
            Source: C:\Users\user\Desktop\l46MzH3L15.exeAPI/Special instruction interceptor: Address: 20D9D05
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\l46MzH3L15.exeRDTSC instruction interceptor: First address: 55A7113 second address: 55A7113 instructions: 0x00000000 rdtsc 0x00000002 cmp si, E9BDh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007FE31C52A813h 0x0000000b inc ebp 0x0000000c test ah, ah 0x0000000e inc ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\l46MzH3L15.exeRDTSC instruction interceptor: First address: 2097113 second address: 2097113 instructions: 0x00000000 rdtsc 0x00000002 cmp si, E9BDh 0x00000007 cmp ebx, ecx 0x00000009 jc 00007FE31CB0C123h 0x0000000b inc ebp 0x0000000c test ah, ah 0x0000000e inc ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_363016A6 rdtsc 10_2_363016A6
            Source: C:\Users\user\Desktop\l46MzH3L15.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso84CB.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\l46MzH3L15.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso84CB.tmp\LangDLL.dllJump to dropped file
            Source: C:\Users\user\Desktop\l46MzH3L15.exeAPI coverage: 1.2 %
            Source: C:\Windows\SysWOW64\DpiScaling.exeAPI coverage: 2.1 %
            Source: C:\Windows\SysWOW64\DpiScaling.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A19
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004027CF FindFirstFileA,0_2_004027CF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004065EA FindFirstFileA,FindClose,0_2_004065EA
            Source: l46MzH3L15.exe, 0000000A.00000002.3685401877.0000000006128000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh#
            Source: l46MzH3L15.exe, 0000000A.00000002.3686296483.000000000617B000.00000004.00000020.00020000.00000000.sdmp, l46MzH3L15.exe, 0000000A.00000003.3578920177.000000000617B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: DpiScaling.exe, 0000000C.00000002.3816191723.0000000003019000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\l46MzH3L15.exeAPI call chain: ExitProcess graph end nodegraph_0-4932
            Source: C:\Users\user\Desktop\l46MzH3L15.exeAPI call chain: ExitProcess graph end nodegraph_0-5080
            Source: C:\Windows\SysWOW64\DpiScaling.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\DpiScaling.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_363016A6 rdtsc 10_2_363016A6
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362735C0 NtCreateMutant,LdrInitializeThunk,10_2_362735C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_6D1E1B28 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_6D1E1B28
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F626 mov eax, dword ptr fs:[00000030h]10_2_3622F626
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36305636 mov eax, dword ptr fs:[00000030h]10_2_36305636
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36261607 mov eax, dword ptr fs:[00000030h]10_2_36261607
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3626F603 mov eax, dword ptr fs:[00000030h]10_2_3626F603
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36233616 mov eax, dword ptr fs:[00000030h]10_2_36233616
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36233616 mov eax, dword ptr fs:[00000030h]10_2_36233616
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36269660 mov eax, dword ptr fs:[00000030h]10_2_36269660
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36269660 mov eax, dword ptr fs:[00000030h]10_2_36269660
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362CD660 mov eax, dword ptr fs:[00000030h]10_2_362CD660
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622D6AA mov eax, dword ptr fs:[00000030h]10_2_3622D6AA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622D6AA mov eax, dword ptr fs:[00000030h]10_2_3622D6AA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362276B2 mov eax, dword ptr fs:[00000030h]10_2_362276B2
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362276B2 mov eax, dword ptr fs:[00000030h]10_2_362276B2
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362276B2 mov eax, dword ptr fs:[00000030h]10_2_362276B2
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362B368C mov eax, dword ptr fs:[00000030h]10_2_362B368C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362B368C mov eax, dword ptr fs:[00000030h]10_2_362B368C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362B368C mov eax, dword ptr fs:[00000030h]10_2_362B368C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362B368C mov eax, dword ptr fs:[00000030h]10_2_362B368C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362C36EE mov eax, dword ptr fs:[00000030h]10_2_362C36EE
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362C36EE mov eax, dword ptr fs:[00000030h]10_2_362C36EE
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362C36EE mov eax, dword ptr fs:[00000030h]10_2_362C36EE
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362C36EE mov eax, dword ptr fs:[00000030h]10_2_362C36EE
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362C36EE mov eax, dword ptr fs:[00000030h]10_2_362C36EE
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362C36EE mov eax, dword ptr fs:[00000030h]10_2_362C36EE
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3625D6E0 mov eax, dword ptr fs:[00000030h]10_2_3625D6E0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3625D6E0 mov eax, dword ptr fs:[00000030h]10_2_3625D6E0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362636EF mov eax, dword ptr fs:[00000030h]10_2_362636EF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362ED6F0 mov eax, dword ptr fs:[00000030h]10_2_362ED6F0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B6C0 mov eax, dword ptr fs:[00000030h]10_2_3623B6C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B6C0 mov eax, dword ptr fs:[00000030h]10_2_3623B6C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B6C0 mov eax, dword ptr fs:[00000030h]10_2_3623B6C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B6C0 mov eax, dword ptr fs:[00000030h]10_2_3623B6C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B6C0 mov eax, dword ptr fs:[00000030h]10_2_3623B6C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B6C0 mov eax, dword ptr fs:[00000030h]10_2_3623B6C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362F16CC mov eax, dword ptr fs:[00000030h]10_2_362F16CC
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362F16CC mov eax, dword ptr fs:[00000030h]10_2_362F16CC
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362F16CC mov eax, dword ptr fs:[00000030h]10_2_362F16CC
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362F16CC mov eax, dword ptr fs:[00000030h]10_2_362F16CC
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362EF6C7 mov eax, dword ptr fs:[00000030h]10_2_362EF6C7
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362616CF mov eax, dword ptr fs:[00000030h]10_2_362616CF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362EF72E mov eax, dword ptr fs:[00000030h]10_2_362EF72E
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36233720 mov eax, dword ptr fs:[00000030h]10_2_36233720
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F720 mov eax, dword ptr fs:[00000030h]10_2_3624F720
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F720 mov eax, dword ptr fs:[00000030h]10_2_3624F720
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F720 mov eax, dword ptr fs:[00000030h]10_2_3624F720
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362F972B mov eax, dword ptr fs:[00000030h]10_2_362F972B
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3630B73C mov eax, dword ptr fs:[00000030h]10_2_3630B73C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3630B73C mov eax, dword ptr fs:[00000030h]10_2_3630B73C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3630B73C mov eax, dword ptr fs:[00000030h]10_2_3630B73C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3630B73C mov eax, dword ptr fs:[00000030h]10_2_3630B73C
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36229730 mov eax, dword ptr fs:[00000030h]10_2_36229730
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36229730 mov eax, dword ptr fs:[00000030h]10_2_36229730
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36265734 mov eax, dword ptr fs:[00000030h]10_2_36265734
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623973A mov eax, dword ptr fs:[00000030h]10_2_3623973A
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623973A mov eax, dword ptr fs:[00000030h]10_2_3623973A
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36237703 mov eax, dword ptr fs:[00000030h]10_2_36237703
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36235702 mov eax, dword ptr fs:[00000030h]10_2_36235702
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36235702 mov eax, dword ptr fs:[00000030h]10_2_36235702
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3626F71F mov eax, dword ptr fs:[00000030h]10_2_3626F71F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3626F71F mov eax, dword ptr fs:[00000030h]10_2_3626F71F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622B765 mov eax, dword ptr fs:[00000030h]10_2_3622B765
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622B765 mov eax, dword ptr fs:[00000030h]10_2_3622B765
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622B765 mov eax, dword ptr fs:[00000030h]10_2_3622B765
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622B765 mov eax, dword ptr fs:[00000030h]10_2_3622B765
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36243740 mov eax, dword ptr fs:[00000030h]10_2_36243740
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36243740 mov eax, dword ptr fs:[00000030h]10_2_36243740
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36243740 mov eax, dword ptr fs:[00000030h]10_2_36243740
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362D375F mov eax, dword ptr fs:[00000030h]10_2_362D375F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362D375F mov eax, dword ptr fs:[00000030h]10_2_362D375F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362D375F mov eax, dword ptr fs:[00000030h]10_2_362D375F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362D375F mov eax, dword ptr fs:[00000030h]10_2_362D375F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362D375F mov eax, dword ptr fs:[00000030h]10_2_362D375F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36303749 mov eax, dword ptr fs:[00000030h]10_2_36303749
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362B97A9 mov eax, dword ptr fs:[00000030h]10_2_362B97A9
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362BF7AF mov eax, dword ptr fs:[00000030h]10_2_362BF7AF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362BF7AF mov eax, dword ptr fs:[00000030h]10_2_362BF7AF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362BF7AF mov eax, dword ptr fs:[00000030h]10_2_362BF7AF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362BF7AF mov eax, dword ptr fs:[00000030h]10_2_362BF7AF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362BF7AF mov eax, dword ptr fs:[00000030h]10_2_362BF7AF
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_363037B6 mov eax, dword ptr fs:[00000030h]10_2_363037B6
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3625D7B0 mov eax, dword ptr fs:[00000030h]10_2_3625D7B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622F7BA mov eax, dword ptr fs:[00000030h]10_2_3622F7BA
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362ED7B0 mov eax, dword ptr fs:[00000030h]10_2_362ED7B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362ED7B0 mov eax, dword ptr fs:[00000030h]10_2_362ED7B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362EF78A mov eax, dword ptr fs:[00000030h]10_2_362EF78A
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623D7E0 mov ecx, dword ptr fs:[00000030h]10_2_3623D7E0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362357C0 mov eax, dword ptr fs:[00000030h]10_2_362357C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362357C0 mov eax, dword ptr fs:[00000030h]10_2_362357C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362357C0 mov eax, dword ptr fs:[00000030h]10_2_362357C0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3625340D mov eax, dword ptr fs:[00000030h]10_2_3625340D
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362B7410 mov eax, dword ptr fs:[00000030h]10_2_362B7410
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36231460 mov eax, dword ptr fs:[00000030h]10_2_36231460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36231460 mov eax, dword ptr fs:[00000030h]10_2_36231460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36231460 mov eax, dword ptr fs:[00000030h]10_2_36231460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36231460 mov eax, dword ptr fs:[00000030h]10_2_36231460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36231460 mov eax, dword ptr fs:[00000030h]10_2_36231460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F460 mov eax, dword ptr fs:[00000030h]10_2_3624F460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F460 mov eax, dword ptr fs:[00000030h]10_2_3624F460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F460 mov eax, dword ptr fs:[00000030h]10_2_3624F460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F460 mov eax, dword ptr fs:[00000030h]10_2_3624F460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F460 mov eax, dword ptr fs:[00000030h]10_2_3624F460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3624F460 mov eax, dword ptr fs:[00000030h]10_2_3624F460
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3630547F mov eax, dword ptr fs:[00000030h]10_2_3630547F
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B440 mov eax, dword ptr fs:[00000030h]10_2_3623B440
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B440 mov eax, dword ptr fs:[00000030h]10_2_3623B440
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B440 mov eax, dword ptr fs:[00000030h]10_2_3623B440
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B440 mov eax, dword ptr fs:[00000030h]10_2_3623B440
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B440 mov eax, dword ptr fs:[00000030h]10_2_3623B440
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3623B440 mov eax, dword ptr fs:[00000030h]10_2_3623B440
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362EF453 mov eax, dword ptr fs:[00000030h]10_2_362EF453
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362DB450 mov eax, dword ptr fs:[00000030h]10_2_362DB450
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362DB450 mov eax, dword ptr fs:[00000030h]10_2_362DB450
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362DB450 mov eax, dword ptr fs:[00000030h]10_2_362DB450
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362DB450 mov eax, dword ptr fs:[00000030h]10_2_362DB450
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362274B0 mov eax, dword ptr fs:[00000030h]10_2_362274B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362274B0 mov eax, dword ptr fs:[00000030h]10_2_362274B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362634B0 mov eax, dword ptr fs:[00000030h]10_2_362634B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362D74B0 mov eax, dword ptr fs:[00000030h]10_2_362D74B0
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_3622B480 mov eax, dword ptr fs:[00000030h]10_2_3622B480
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36239486 mov eax, dword ptr fs:[00000030h]10_2_36239486
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_36239486 mov eax, dword ptr fs:[00000030h]10_2_36239486
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_363014F6 mov eax, dword ptr fs:[00000030h]10_2_363014F6
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_363014F6 mov eax, dword ptr fs:[00000030h]10_2_363014F6
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 10_2_362D94E0 mov eax, dword ptr fs:[00000030h]10_2_362D94E0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C904E5 mov ecx, dword ptr fs:[00000030h]12_2_04C904E5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4A49A mov eax, dword ptr fs:[00000030h]12_2_04D4A49A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1A4B0 mov eax, dword ptr fs:[00000030h]12_2_04D1A4B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C964AB mov eax, dword ptr fs:[00000030h]12_2_04C964AB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC44B0 mov ecx, dword ptr fs:[00000030h]12_2_04CC44B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4A456 mov eax, dword ptr fs:[00000030h]12_2_04D4A456
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE443 mov eax, dword ptr fs:[00000030h]12_2_04CCE443
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB245A mov eax, dword ptr fs:[00000030h]12_2_04CB245A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8645D mov eax, dword ptr fs:[00000030h]12_2_04C8645D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1C460 mov ecx, dword ptr fs:[00000030h]12_2_04D1C460
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBA470 mov eax, dword ptr fs:[00000030h]12_2_04CBA470
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBA470 mov eax, dword ptr fs:[00000030h]12_2_04CBA470
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBA470 mov eax, dword ptr fs:[00000030h]12_2_04CBA470
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC8402 mov eax, dword ptr fs:[00000030h]12_2_04CC8402
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC8402 mov eax, dword ptr fs:[00000030h]12_2_04CC8402
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC8402 mov eax, dword ptr fs:[00000030h]12_2_04CC8402
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8E420 mov eax, dword ptr fs:[00000030h]12_2_04C8E420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8E420 mov eax, dword ptr fs:[00000030h]12_2_04C8E420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8E420 mov eax, dword ptr fs:[00000030h]12_2_04C8E420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8C427 mov eax, dword ptr fs:[00000030h]12_2_04C8C427
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16420 mov eax, dword ptr fs:[00000030h]12_2_04D16420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16420 mov eax, dword ptr fs:[00000030h]12_2_04D16420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16420 mov eax, dword ptr fs:[00000030h]12_2_04D16420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16420 mov eax, dword ptr fs:[00000030h]12_2_04D16420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16420 mov eax, dword ptr fs:[00000030h]12_2_04D16420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16420 mov eax, dword ptr fs:[00000030h]12_2_04D16420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16420 mov eax, dword ptr fs:[00000030h]12_2_04D16420
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA430 mov eax, dword ptr fs:[00000030h]12_2_04CCA430
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE5CF mov eax, dword ptr fs:[00000030h]12_2_04CCE5CF
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE5CF mov eax, dword ptr fs:[00000030h]12_2_04CCE5CF
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C965D0 mov eax, dword ptr fs:[00000030h]12_2_04C965D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA5D0 mov eax, dword ptr fs:[00000030h]12_2_04CCA5D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA5D0 mov eax, dword ptr fs:[00000030h]12_2_04CCA5D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCC5ED mov eax, dword ptr fs:[00000030h]12_2_04CCC5ED
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCC5ED mov eax, dword ptr fs:[00000030h]12_2_04CCC5ED
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C925E0 mov eax, dword ptr fs:[00000030h]12_2_04C925E0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE5E7 mov eax, dword ptr fs:[00000030h]12_2_04CBE5E7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC4588 mov eax, dword ptr fs:[00000030h]12_2_04CC4588
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C92582 mov eax, dword ptr fs:[00000030h]12_2_04C92582
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C92582 mov ecx, dword ptr fs:[00000030h]12_2_04C92582
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE59C mov eax, dword ptr fs:[00000030h]12_2_04CCE59C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D105A7 mov eax, dword ptr fs:[00000030h]12_2_04D105A7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D105A7 mov eax, dword ptr fs:[00000030h]12_2_04D105A7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D105A7 mov eax, dword ptr fs:[00000030h]12_2_04D105A7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB45B1 mov eax, dword ptr fs:[00000030h]12_2_04CB45B1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB45B1 mov eax, dword ptr fs:[00000030h]12_2_04CB45B1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C98550 mov eax, dword ptr fs:[00000030h]12_2_04C98550
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C98550 mov eax, dword ptr fs:[00000030h]12_2_04C98550
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC656A mov eax, dword ptr fs:[00000030h]12_2_04CC656A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC656A mov eax, dword ptr fs:[00000030h]12_2_04CC656A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC656A mov eax, dword ptr fs:[00000030h]12_2_04CC656A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D26500 mov eax, dword ptr fs:[00000030h]12_2_04D26500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D64500 mov eax, dword ptr fs:[00000030h]12_2_04D64500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D64500 mov eax, dword ptr fs:[00000030h]12_2_04D64500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D64500 mov eax, dword ptr fs:[00000030h]12_2_04D64500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D64500 mov eax, dword ptr fs:[00000030h]12_2_04D64500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D64500 mov eax, dword ptr fs:[00000030h]12_2_04D64500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D64500 mov eax, dword ptr fs:[00000030h]12_2_04D64500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D64500 mov eax, dword ptr fs:[00000030h]12_2_04D64500
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE53E mov eax, dword ptr fs:[00000030h]12_2_04CBE53E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE53E mov eax, dword ptr fs:[00000030h]12_2_04CBE53E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE53E mov eax, dword ptr fs:[00000030h]12_2_04CBE53E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE53E mov eax, dword ptr fs:[00000030h]12_2_04CBE53E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBE53E mov eax, dword ptr fs:[00000030h]12_2_04CBE53E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0535 mov eax, dword ptr fs:[00000030h]12_2_04CA0535
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0535 mov eax, dword ptr fs:[00000030h]12_2_04CA0535
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0535 mov eax, dword ptr fs:[00000030h]12_2_04CA0535
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0535 mov eax, dword ptr fs:[00000030h]12_2_04CA0535
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0535 mov eax, dword ptr fs:[00000030h]12_2_04CA0535
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0535 mov eax, dword ptr fs:[00000030h]12_2_04CA0535
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA6C7 mov ebx, dword ptr fs:[00000030h]12_2_04CCA6C7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA6C7 mov eax, dword ptr fs:[00000030h]12_2_04CCA6C7
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D106F1 mov eax, dword ptr fs:[00000030h]12_2_04D106F1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D106F1 mov eax, dword ptr fs:[00000030h]12_2_04D106F1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E6F2 mov eax, dword ptr fs:[00000030h]12_2_04D0E6F2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E6F2 mov eax, dword ptr fs:[00000030h]12_2_04D0E6F2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E6F2 mov eax, dword ptr fs:[00000030h]12_2_04D0E6F2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E6F2 mov eax, dword ptr fs:[00000030h]12_2_04D0E6F2
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C94690 mov eax, dword ptr fs:[00000030h]12_2_04C94690
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C94690 mov eax, dword ptr fs:[00000030h]12_2_04C94690
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCC6A6 mov eax, dword ptr fs:[00000030h]12_2_04CCC6A6
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC66B0 mov eax, dword ptr fs:[00000030h]12_2_04CC66B0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAC640 mov eax, dword ptr fs:[00000030h]12_2_04CAC640
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA660 mov eax, dword ptr fs:[00000030h]12_2_04CCA660
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA660 mov eax, dword ptr fs:[00000030h]12_2_04CCA660
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC2674 mov eax, dword ptr fs:[00000030h]12_2_04CC2674
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5866E mov eax, dword ptr fs:[00000030h]12_2_04D5866E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5866E mov eax, dword ptr fs:[00000030h]12_2_04D5866E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA260B mov eax, dword ptr fs:[00000030h]12_2_04CA260B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA260B mov eax, dword ptr fs:[00000030h]12_2_04CA260B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA260B mov eax, dword ptr fs:[00000030h]12_2_04CA260B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA260B mov eax, dword ptr fs:[00000030h]12_2_04CA260B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA260B mov eax, dword ptr fs:[00000030h]12_2_04CA260B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA260B mov eax, dword ptr fs:[00000030h]12_2_04CA260B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA260B mov eax, dword ptr fs:[00000030h]12_2_04CA260B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2619 mov eax, dword ptr fs:[00000030h]12_2_04CD2619
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E609 mov eax, dword ptr fs:[00000030h]12_2_04D0E609
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9262C mov eax, dword ptr fs:[00000030h]12_2_04C9262C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC6620 mov eax, dword ptr fs:[00000030h]12_2_04CC6620
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC8620 mov eax, dword ptr fs:[00000030h]12_2_04CC8620
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE627 mov eax, dword ptr fs:[00000030h]12_2_04CAE627
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9C7C0 mov eax, dword ptr fs:[00000030h]12_2_04C9C7C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D107C3 mov eax, dword ptr fs:[00000030h]12_2_04D107C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB27ED mov eax, dword ptr fs:[00000030h]12_2_04CB27ED
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB27ED mov eax, dword ptr fs:[00000030h]12_2_04CB27ED
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB27ED mov eax, dword ptr fs:[00000030h]12_2_04CB27ED
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1E7E1 mov eax, dword ptr fs:[00000030h]12_2_04D1E7E1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C947FB mov eax, dword ptr fs:[00000030h]12_2_04C947FB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C947FB mov eax, dword ptr fs:[00000030h]12_2_04C947FB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3678E mov eax, dword ptr fs:[00000030h]12_2_04D3678E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C907AF mov eax, dword ptr fs:[00000030h]12_2_04C907AF
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D447A0 mov eax, dword ptr fs:[00000030h]12_2_04D447A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC674D mov esi, dword ptr fs:[00000030h]12_2_04CC674D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC674D mov eax, dword ptr fs:[00000030h]12_2_04CC674D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC674D mov eax, dword ptr fs:[00000030h]12_2_04CC674D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D14755 mov eax, dword ptr fs:[00000030h]12_2_04D14755
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1E75D mov eax, dword ptr fs:[00000030h]12_2_04D1E75D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C90750 mov eax, dword ptr fs:[00000030h]12_2_04C90750
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2750 mov eax, dword ptr fs:[00000030h]12_2_04CD2750
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD2750 mov eax, dword ptr fs:[00000030h]12_2_04CD2750
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C98770 mov eax, dword ptr fs:[00000030h]12_2_04C98770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA0770 mov eax, dword ptr fs:[00000030h]12_2_04CA0770
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCC700 mov eax, dword ptr fs:[00000030h]12_2_04CCC700
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C90710 mov eax, dword ptr fs:[00000030h]12_2_04C90710
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC0710 mov eax, dword ptr fs:[00000030h]12_2_04CC0710
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0C730 mov eax, dword ptr fs:[00000030h]12_2_04D0C730
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCC720 mov eax, dword ptr fs:[00000030h]12_2_04CCC720
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCC720 mov eax, dword ptr fs:[00000030h]12_2_04CCC720
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC273C mov eax, dword ptr fs:[00000030h]12_2_04CC273C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC273C mov ecx, dword ptr fs:[00000030h]12_2_04CC273C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC273C mov eax, dword ptr fs:[00000030h]12_2_04CC273C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D120DE mov eax, dword ptr fs:[00000030h]12_2_04D120DE
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C980E9 mov eax, dword ptr fs:[00000030h]12_2_04C980E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8A0E3 mov ecx, dword ptr fs:[00000030h]12_2_04C8A0E3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D160E0 mov eax, dword ptr fs:[00000030h]12_2_04D160E0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8C0F0 mov eax, dword ptr fs:[00000030h]12_2_04C8C0F0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD20F0 mov ecx, dword ptr fs:[00000030h]12_2_04CD20F0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9208A mov eax, dword ptr fs:[00000030h]12_2_04C9208A
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D560B8 mov eax, dword ptr fs:[00000030h]12_2_04D560B8
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D560B8 mov ecx, dword ptr fs:[00000030h]12_2_04D560B8
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D280A8 mov eax, dword ptr fs:[00000030h]12_2_04D280A8
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D16050 mov eax, dword ptr fs:[00000030h]12_2_04D16050
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C92050 mov eax, dword ptr fs:[00000030h]12_2_04C92050
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CBC073 mov eax, dword ptr fs:[00000030h]12_2_04CBC073
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D14000 mov ecx, dword ptr fs:[00000030h]12_2_04D14000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D32000 mov eax, dword ptr fs:[00000030h]12_2_04D32000
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE016 mov eax, dword ptr fs:[00000030h]12_2_04CAE016
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE016 mov eax, dword ptr fs:[00000030h]12_2_04CAE016
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE016 mov eax, dword ptr fs:[00000030h]12_2_04CAE016
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE016 mov eax, dword ptr fs:[00000030h]12_2_04CAE016
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D26030 mov eax, dword ptr fs:[00000030h]12_2_04D26030
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8A020 mov eax, dword ptr fs:[00000030h]12_2_04C8A020
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8C020 mov eax, dword ptr fs:[00000030h]12_2_04C8C020
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E1D0 mov eax, dword ptr fs:[00000030h]12_2_04D0E1D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E1D0 mov eax, dword ptr fs:[00000030h]12_2_04D0E1D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E1D0 mov ecx, dword ptr fs:[00000030h]12_2_04D0E1D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E1D0 mov eax, dword ptr fs:[00000030h]12_2_04D0E1D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D0E1D0 mov eax, dword ptr fs:[00000030h]12_2_04D0E1D0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D561C3 mov eax, dword ptr fs:[00000030h]12_2_04D561C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D561C3 mov eax, dword ptr fs:[00000030h]12_2_04D561C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D661E5 mov eax, dword ptr fs:[00000030h]12_2_04D661E5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC01F8 mov eax, dword ptr fs:[00000030h]12_2_04CC01F8
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CD0185 mov eax, dword ptr fs:[00000030h]12_2_04CD0185
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1019F mov eax, dword ptr fs:[00000030h]12_2_04D1019F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1019F mov eax, dword ptr fs:[00000030h]12_2_04D1019F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1019F mov eax, dword ptr fs:[00000030h]12_2_04D1019F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1019F mov eax, dword ptr fs:[00000030h]12_2_04D1019F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D34180 mov eax, dword ptr fs:[00000030h]12_2_04D34180
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D34180 mov eax, dword ptr fs:[00000030h]12_2_04D34180
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4C188 mov eax, dword ptr fs:[00000030h]12_2_04D4C188
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4C188 mov eax, dword ptr fs:[00000030h]12_2_04D4C188
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8A197 mov eax, dword ptr fs:[00000030h]12_2_04C8A197
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8A197 mov eax, dword ptr fs:[00000030h]12_2_04C8A197
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8A197 mov eax, dword ptr fs:[00000030h]12_2_04C8A197
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D28158 mov eax, dword ptr fs:[00000030h]12_2_04D28158
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D24144 mov eax, dword ptr fs:[00000030h]12_2_04D24144
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D24144 mov eax, dword ptr fs:[00000030h]12_2_04D24144
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D24144 mov ecx, dword ptr fs:[00000030h]12_2_04D24144
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D24144 mov eax, dword ptr fs:[00000030h]12_2_04D24144
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D24144 mov eax, dword ptr fs:[00000030h]12_2_04D24144
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C96154 mov eax, dword ptr fs:[00000030h]12_2_04C96154
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C96154 mov eax, dword ptr fs:[00000030h]12_2_04C96154
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8C156 mov eax, dword ptr fs:[00000030h]12_2_04C8C156
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D50115 mov eax, dword ptr fs:[00000030h]12_2_04D50115
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3A118 mov ecx, dword ptr fs:[00000030h]12_2_04D3A118
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3A118 mov eax, dword ptr fs:[00000030h]12_2_04D3A118
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3A118 mov eax, dword ptr fs:[00000030h]12_2_04D3A118
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3A118 mov eax, dword ptr fs:[00000030h]12_2_04D3A118
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov eax, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov ecx, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov eax, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov eax, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov ecx, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov eax, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov eax, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov ecx, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov eax, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E10E mov ecx, dword ptr fs:[00000030h]12_2_04D3E10E
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC0124 mov eax, dword ptr fs:[00000030h]12_2_04CC0124
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A2C3 mov eax, dword ptr fs:[00000030h]12_2_04C9A2C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A2C3 mov eax, dword ptr fs:[00000030h]12_2_04C9A2C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A2C3 mov eax, dword ptr fs:[00000030h]12_2_04C9A2C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A2C3 mov eax, dword ptr fs:[00000030h]12_2_04C9A2C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A2C3 mov eax, dword ptr fs:[00000030h]12_2_04C9A2C3
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA02E1 mov eax, dword ptr fs:[00000030h]12_2_04CA02E1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA02E1 mov eax, dword ptr fs:[00000030h]12_2_04CA02E1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA02E1 mov eax, dword ptr fs:[00000030h]12_2_04CA02E1
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE284 mov eax, dword ptr fs:[00000030h]12_2_04CCE284
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCE284 mov eax, dword ptr fs:[00000030h]12_2_04CCE284
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D10283 mov eax, dword ptr fs:[00000030h]12_2_04D10283
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D10283 mov eax, dword ptr fs:[00000030h]12_2_04D10283
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D10283 mov eax, dword ptr fs:[00000030h]12_2_04D10283
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA02A0 mov eax, dword ptr fs:[00000030h]12_2_04CA02A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA02A0 mov eax, dword ptr fs:[00000030h]12_2_04CA02A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D262A0 mov eax, dword ptr fs:[00000030h]12_2_04D262A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D262A0 mov ecx, dword ptr fs:[00000030h]12_2_04D262A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D262A0 mov eax, dword ptr fs:[00000030h]12_2_04D262A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D262A0 mov eax, dword ptr fs:[00000030h]12_2_04D262A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D262A0 mov eax, dword ptr fs:[00000030h]12_2_04D262A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D262A0 mov eax, dword ptr fs:[00000030h]12_2_04D262A0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4A250 mov eax, dword ptr fs:[00000030h]12_2_04D4A250
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4A250 mov eax, dword ptr fs:[00000030h]12_2_04D4A250
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C96259 mov eax, dword ptr fs:[00000030h]12_2_04C96259
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D18243 mov eax, dword ptr fs:[00000030h]12_2_04D18243
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D18243 mov ecx, dword ptr fs:[00000030h]12_2_04D18243
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8A250 mov eax, dword ptr fs:[00000030h]12_2_04C8A250
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40274 mov eax, dword ptr fs:[00000030h]12_2_04D40274
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8826B mov eax, dword ptr fs:[00000030h]12_2_04C8826B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C94260 mov eax, dword ptr fs:[00000030h]12_2_04C94260
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C94260 mov eax, dword ptr fs:[00000030h]12_2_04C94260
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C94260 mov eax, dword ptr fs:[00000030h]12_2_04C94260
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8823B mov eax, dword ptr fs:[00000030h]12_2_04C8823B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D343D4 mov eax, dword ptr fs:[00000030h]12_2_04D343D4
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D343D4 mov eax, dword ptr fs:[00000030h]12_2_04D343D4
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E3DB mov eax, dword ptr fs:[00000030h]12_2_04D3E3DB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E3DB mov eax, dword ptr fs:[00000030h]12_2_04D3E3DB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E3DB mov ecx, dword ptr fs:[00000030h]12_2_04D3E3DB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3E3DB mov eax, dword ptr fs:[00000030h]12_2_04D3E3DB
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A3C0 mov eax, dword ptr fs:[00000030h]12_2_04C9A3C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A3C0 mov eax, dword ptr fs:[00000030h]12_2_04C9A3C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A3C0 mov eax, dword ptr fs:[00000030h]12_2_04C9A3C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A3C0 mov eax, dword ptr fs:[00000030h]12_2_04C9A3C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A3C0 mov eax, dword ptr fs:[00000030h]12_2_04C9A3C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C9A3C0 mov eax, dword ptr fs:[00000030h]12_2_04C9A3C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C983C0 mov eax, dword ptr fs:[00000030h]12_2_04C983C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C983C0 mov eax, dword ptr fs:[00000030h]12_2_04C983C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C983C0 mov eax, dword ptr fs:[00000030h]12_2_04C983C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C983C0 mov eax, dword ptr fs:[00000030h]12_2_04C983C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D163C0 mov eax, dword ptr fs:[00000030h]12_2_04D163C0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D4C3CD mov eax, dword ptr fs:[00000030h]12_2_04D4C3CD
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CA03E9 mov eax, dword ptr fs:[00000030h]12_2_04CA03E9
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC63FF mov eax, dword ptr fs:[00000030h]12_2_04CC63FF
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE3F0 mov eax, dword ptr fs:[00000030h]12_2_04CAE3F0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE3F0 mov eax, dword ptr fs:[00000030h]12_2_04CAE3F0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CAE3F0 mov eax, dword ptr fs:[00000030h]12_2_04CAE3F0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8E388 mov eax, dword ptr fs:[00000030h]12_2_04C8E388
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8E388 mov eax, dword ptr fs:[00000030h]12_2_04C8E388
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8E388 mov eax, dword ptr fs:[00000030h]12_2_04C8E388
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB438F mov eax, dword ptr fs:[00000030h]12_2_04CB438F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB438F mov eax, dword ptr fs:[00000030h]12_2_04CB438F
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C88397 mov eax, dword ptr fs:[00000030h]12_2_04C88397
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C88397 mov eax, dword ptr fs:[00000030h]12_2_04C88397
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C88397 mov eax, dword ptr fs:[00000030h]12_2_04C88397
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D38350 mov ecx, dword ptr fs:[00000030h]12_2_04D38350
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D5A352 mov eax, dword ptr fs:[00000030h]12_2_04D5A352
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1035C mov eax, dword ptr fs:[00000030h]12_2_04D1035C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1035C mov eax, dword ptr fs:[00000030h]12_2_04D1035C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1035C mov eax, dword ptr fs:[00000030h]12_2_04D1035C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1035C mov ecx, dword ptr fs:[00000030h]12_2_04D1035C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1035C mov eax, dword ptr fs:[00000030h]12_2_04D1035C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D1035C mov eax, dword ptr fs:[00000030h]12_2_04D1035C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D12349 mov eax, dword ptr fs:[00000030h]12_2_04D12349
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D3437C mov eax, dword ptr fs:[00000030h]12_2_04D3437C
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA30B mov eax, dword ptr fs:[00000030h]12_2_04CCA30B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA30B mov eax, dword ptr fs:[00000030h]12_2_04CCA30B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CCA30B mov eax, dword ptr fs:[00000030h]12_2_04CCA30B
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8C310 mov ecx, dword ptr fs:[00000030h]12_2_04C8C310
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CB0310 mov ecx, dword ptr fs:[00000030h]12_2_04CB0310
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C8CCC8 mov eax, dword ptr fs:[00000030h]12_2_04C8CCC8
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC2CF0 mov eax, dword ptr fs:[00000030h]12_2_04CC2CF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC2CF0 mov eax, dword ptr fs:[00000030h]12_2_04CC2CF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC2CF0 mov eax, dword ptr fs:[00000030h]12_2_04CC2CF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04CC2CF0 mov eax, dword ptr fs:[00000030h]12_2_04CC2CF0
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04C88C8D mov eax, dword ptr fs:[00000030h]12_2_04C88C8D
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5
            Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 12_2_04D40CB5 mov eax, dword ptr fs:[00000030h]12_2_04D40CB5

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtQuerySystemInformation: Direct from: 0x772748CCJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtQueryVolumeInformationFile: Direct from: 0x77272F2CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtOpenSection: Direct from: 0x77272E0CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtClose: Direct from: 0x77272B6C
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtReadVirtualMemory: Direct from: 0x77272E8CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtCreateKey: Direct from: 0x77272C6CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtSetInformationThread: Direct from: 0x77272B4CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtQueryAttributesFile: Direct from: 0x77272E6CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtAllocateVirtualMemory: Direct from: 0x772748ECJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtQueryInformationToken: Direct from: 0x77272CACJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtOpenKeyEx: Direct from: 0x77272B9CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtDeviceIoControlFile: Direct from: 0x77272AECJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtAllocateVirtualMemory: Direct from: 0x77272BECJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtProtectVirtualMemory: Direct from: 0x77267B2EJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtCreateFile: Direct from: 0x77272FECJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtOpenFile: Direct from: 0x77272DCCJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtWriteVirtualMemory: Direct from: 0x77272E3CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtMapViewOfSection: Direct from: 0x77272D1CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtResumeThread: Direct from: 0x772736ACJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtProtectVirtualMemory: Direct from: 0x77272F9CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtSetInformationProcess: Direct from: 0x77272C5CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtNotifyChangeKey: Direct from: 0x77273C2CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtCreateMutant: Direct from: 0x772735CCJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtSetInformationThread: Direct from: 0x772663F9Jump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtQueryInformationProcess: Direct from: 0x77272C26Jump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtResumeThread: Direct from: 0x77272FBCJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtCreateUserProcess: Direct from: 0x7727371CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtWriteVirtualMemory: Direct from: 0x7727490CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtAllocateVirtualMemory: Direct from: 0x77273C9CJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtAllocateVirtualMemory: Direct from: 0x77272BFCJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtReadFile: Direct from: 0x77272ADCJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtQuerySystemInformation: Direct from: 0x77272DFCJump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeNtDelayExecution: Direct from: 0x77272DDCJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: NULL target: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeSection loaded: NULL target: C:\Windows\SysWOW64\DpiScaling.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: NULL target: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\DpiScaling.exeSection loaded: NULL target: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exe protection: execute and read and writeJump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\DpiScaling.exeThread APC queued: target process: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeJump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeProcess created: C:\Users\user\Desktop\l46MzH3L15.exe "C:\Users\user\Desktop\l46MzH3L15.exe"Jump to behavior
            Source: C:\Program Files (x86)\eTTqeUgXRaOFVnjfcEBUEPEmxZTBJfalZyUJESILHvjHTIHITpyCSXDyD\vZopYmgwbaC.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe "C:\Windows\SysWOW64\DpiScaling.exe"Jump to behavior
            Source: C:\Users\user\Desktop\l46MzH3L15.exeCode function: 0_2_004033A2 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrlenA,wsprintfA,GetFileAttributesA,DeleteFileA,SetCurrentDirectoryA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A2

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000C.00000002.3815876314.0000000002B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816367012.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816408141.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3715913260.0000000035FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3716337808.0000000036550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3816817006.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000C.00000002.3815876314.0000000002B70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816367012.00000000049E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000C.00000002.3816408141.0000000004A30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3715913260.0000000035FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3716337808.0000000036550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.3816817006.0000000002890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		11
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts211
            Process Injection            		1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Clipboard Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		1
            Access Token Manipulation            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		211
            Process Injection            		NTDS3
            File and Directory Discovery            		Distributed Component Object ModelInput Capture14
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets23
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1632230 Sample: l46MzH3L15.exe Startdate: 07/03/2025 Architecture: WINDOWS Score: 100 32 www.sparkletime.cloud 2->32 34 sparkletime.cloud 2->34 36 2 other IPs or domains 2->36 46 Suricata IDS alerts for network traffic 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 4 other signatures 2->52 10 l46MzH3L15.exe 4 61 2->10         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\System.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 10->30 dropped 60 Tries to detect virtualization through RDTSC time measurements 10->60 62 Switches to a custom stack to bypass stack traces 10->62 14 l46MzH3L15.exe 6 10->14         started        signatures6 process7 dnsIp8 40 drive.google.com 142.250.185.142, 443, 49700 GOOGLEUS United States 14->40 42 drive.usercontent.google.com 216.58.206.65, 443, 49701 GOOGLEUS United States 14->42 64 Maps a DLL or memory area into another process 14->64 18 vZopYmgwbaC.exe 14->18 injected signatures9 process10 signatures11 44 Found direct / indirect Syscall (likely to bypass EDR) 18->44 21 DpiScaling.exe 18->21         started        process12 signatures13 54 Maps a DLL or memory area into another process 21->54 56 Queues an APC in another process (thread injection) 21->56 24 vZopYmgwbaC.exe 21->24 injected process14 dnsIp15 38 sparkletime.cloud 92.60.36.190, 49702, 80 NETCUP-ASnetcupGmbHDE Germany 24->38 58 Found direct / indirect Syscall (likely to bypass EDR) 24->58 signatures16

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.