Analysis Report emthree.exe

Overview

General Information

Sample Name: emthree.exe
Analysis ID: 323574
MD5: 25b5788669a3a8f35596ce975f0823a7
SHA1: 77e07883f131f342e3d24954ea348d25554440a1
SHA256: f3024d8a77f7d80b8e1f44a868913ad76e926d5add36cdc27332c42c3cc012a3
Tags: PEP

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: emthree.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: emthree.exe Metadefender: Detection: 35% Perma Link
Source: emthree.exe ReversingLabs: Detection: 64%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: emthree.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.emthree.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1Host: www.porncamslivechat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1Host: www.amarilloautoexpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: C:\Windows\explorer.exe Code function: 2_2_06D527A2 getaddrinfo,setsockopt,recv, 2_2_06D527A2
Source: global traffic HTTP traffic detected: GET /unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q HTTP/1.1Host: www.porncamslivechat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /unx5/?YBZpk4k0=1w0hMOl97180k8Du4bGC2gk65X6wFt6LICq9bRyB5mmRHYVxdYOusOKtXf2j62HHiftJ&Wt=LhnLHro0q HTTP/1.1Host: www.amarilloautoexpress.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.asojebu.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Nov 2020 05:37:46 GMTServer: ApacheLink: <https://porncamslivechat.com/wp-json/>; rel="https://api.w.org/"Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=1d6c5c8d17388afcc8a5932da9c3f004; path=/Upgrade: h2,h2cConnection: Upgrade, closeReferrer-Policy: no-referrer-when-downgradeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 64 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 69 6d 61 67 65 73 2f 69 63 6f 6e 2e 70 6e 67 22 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 32 66 36 38 32 2e 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 2f 3e 0d 0a 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0d 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 70 72 6f 2d 63 61 6d 2d 6d 75 2f 6a 73 2f 68 74 6d 6c 35 2e 6a 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 0d 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 6f 72 6e 63 61 6d 73 6c 69 76 65 63 68 61 74 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 63 61 63 68 65 2f 6d 69 6e 69 66 79 2f 62 66 66 64 30 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 31 35 2e 33 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: emthree.exe, 00000000.00000002.238970430.00000000019F7000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comu
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: emthree.exe, 00000000.00000002.243864150.0000000007352000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.262419309.000000000BC30000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: emthree.exe, 00000000.00000002.238716419.00000000016B0000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041A070 NtClose, 1_2_0041A070
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041A120 NtAllocateVirtualMemory, 1_2_0041A120
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00419F40 NtCreateFile, 1_2_00419F40
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00419FF0 NtReadFile, 1_2_00419FF0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041A06B NtClose, 1_2_0041A06B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041A03A NtReadFile, 1_2_0041A03A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_01029910
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010299A0 NtCreateSection,LdrInitializeThunk, 1_2_010299A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029840 NtDelayExecution,LdrInitializeThunk, 1_2_01029840
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_01029860
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010298F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_010298F0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_01029A00
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029A20 NtResumeThread,LdrInitializeThunk, 1_2_01029A20
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029A50 NtCreateFile,LdrInitializeThunk, 1_2_01029A50
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029540 NtReadFile,LdrInitializeThunk, 1_2_01029540
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010295D0 NtClose,LdrInitializeThunk, 1_2_010295D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029710 NtQueryInformationToken,LdrInitializeThunk, 1_2_01029710
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029780 NtMapViewOfSection,LdrInitializeThunk, 1_2_01029780
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010297A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_010297A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_01029660
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010296E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_010296E0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029950 NtQueueApcThread, 1_2_01029950
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010299D0 NtCreateProcessEx, 1_2_010299D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029820 NtEnumerateKey, 1_2_01029820
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0102B040 NtSuspendThread, 1_2_0102B040
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010298A0 NtWriteVirtualMemory, 1_2_010298A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029B00 NtSetValueKey, 1_2_01029B00
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0102A3B0 NtGetContextThread, 1_2_0102A3B0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029A10 NtQuerySection, 1_2_01029A10
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029A80 NtOpenDirectoryObject, 1_2_01029A80
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029520 NtWaitForSingleObject, 1_2_01029520
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0102AD30 NtSetContextThread, 1_2_0102AD30
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029560 NtWriteFile, 1_2_01029560
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010295F0 NtQueryInformationFile, 1_2_010295F0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0102A710 NtOpenProcessToken, 1_2_0102A710
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029730 NtQueryVirtualMemory, 1_2_01029730
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029760 NtOpenProcess, 1_2_01029760
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0102A770 NtOpenThread, 1_2_0102A770
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029770 NtSetInformationFile, 1_2_01029770
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029FE0 NtCreateMutant, 1_2_01029FE0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029610 NtEnumerateValueKey, 1_2_01029610
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029650 NtQueryValueKey, 1_2_01029650
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01029670 NtQueryInformationProcess, 1_2_01029670
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010296D0 NtCreateKey, 1_2_010296D0
Source: C:\Windows\explorer.exe Code function: 2_2_06D51A52 NtCreateFile, 2_2_06D51A52
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE95D0 NtClose,LdrInitializeThunk, 6_2_04EE95D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9540 NtReadFile,LdrInitializeThunk, 6_2_04EE9540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_04EE96E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE96D0 NtCreateKey,LdrInitializeThunk, 6_2_04EE96D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_04EE9660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9650 NtQueryValueKey,LdrInitializeThunk, 6_2_04EE9650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9FE0 NtCreateMutant,LdrInitializeThunk, 6_2_04EE9FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9780 NtMapViewOfSection,LdrInitializeThunk, 6_2_04EE9780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9710 NtQueryInformationToken,LdrInitializeThunk, 6_2_04EE9710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_04EE9860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9840 NtDelayExecution,LdrInitializeThunk, 6_2_04EE9840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE99A0 NtCreateSection,LdrInitializeThunk, 6_2_04EE99A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_04EE9910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9A50 NtCreateFile,LdrInitializeThunk, 6_2_04EE9A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE95F0 NtQueryInformationFile, 6_2_04EE95F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9560 NtWriteFile, 6_2_04EE9560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9520 NtWaitForSingleObject, 6_2_04EE9520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EEAD30 NtSetContextThread, 6_2_04EEAD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9670 NtQueryInformationProcess, 6_2_04EE9670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9610 NtEnumerateValueKey, 6_2_04EE9610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE97A0 NtUnmapViewOfSection, 6_2_04EE97A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9760 NtOpenProcess, 6_2_04EE9760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EEA770 NtOpenThread, 6_2_04EEA770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9770 NtSetInformationFile, 6_2_04EE9770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9730 NtQueryVirtualMemory, 6_2_04EE9730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EEA710 NtOpenProcessToken, 6_2_04EEA710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE98F0 NtReadVirtualMemory, 6_2_04EE98F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE98A0 NtWriteVirtualMemory, 6_2_04EE98A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EEB040 NtSuspendThread, 6_2_04EEB040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9820 NtEnumerateKey, 6_2_04EE9820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE99D0 NtCreateProcessEx, 6_2_04EE99D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9950 NtQueueApcThread, 6_2_04EE9950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9A80 NtOpenDirectoryObject, 6_2_04EE9A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9A20 NtResumeThread, 6_2_04EE9A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9A00 NtProtectVirtualMemory, 6_2_04EE9A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9A10 NtQuerySection, 6_2_04EE9A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EEA3B0 NtGetContextThread, 6_2_04EEA3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE9B00 NtSetValueKey, 6_2_04EE9B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAA070 NtClose, 6_2_02DAA070
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAA120 NtAllocateVirtualMemory, 6_2_02DAA120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DA9FF0 NtReadFile, 6_2_02DA9FF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DA9F40 NtCreateFile, 6_2_02DA9F40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAA06B NtClose, 6_2_02DAA06B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAA03A NtReadFile, 6_2_02DAA03A
Detected potential crypto function
Source: C:\Users\user\Desktop\emthree.exe Code function: 0_2_032AC164 0_2_032AC164
Source: C:\Users\user\Desktop\emthree.exe Code function: 0_2_032AE5A2 0_2_032AE5A2
Source: C:\Users\user\Desktop\emthree.exe Code function: 0_2_032AE5B0 0_2_032AE5B0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041E423 1_2_0041E423
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00409E40 1_2_00409E40
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041D73D 1_2_0041D73D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01004120 1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFB090 1_2_00FFB090
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1002 1_2_010A1002
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010BE824 1_2_010BE824
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A830 1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010120A0 1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B20A8 1_2_010B20A8
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B28EC 1_2_010B28EC
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEF900 1_2_00FEF900
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B2B28 1_2_010B2B28
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100AB40 1_2_0100AB40
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101EBB0 1_2_0101EBB0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A03DA 1_2_010A03DA
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010ADBD2 1_2_010ADBD2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101ABD8 1_2_0101ABD8
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010923E3 1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0109FA2B 1_2_0109FA2B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B22AE 1_2_010B22AE
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B2D07 1_2_010B2D07
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B1D55 1_2_010B1D55
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012581 1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B25DD 1_2_010B25DD
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF841F 1_2_00FF841F
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFD5E0 1_2_00FFD5E0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AD466 1_2_010AD466
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE0D20 1_2_00FE0D20
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010BDFCE 1_2_010BDFCE
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B1FF1 1_2_010B1FF1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AD616 1_2_010AD616
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01006E30 1_2_01006E30
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B2EF7 1_2_010B2EF7
Source: C:\Windows\explorer.exe Code function: 2_2_06D51A52 2_2_06D51A52
Source: C:\Windows\explorer.exe Code function: 2_2_06D49CF2 2_2_06D49CF2
Source: C:\Windows\explorer.exe Code function: 2_2_06D49CE9 2_2_06D49CE9
Source: C:\Windows\explorer.exe Code function: 2_2_06D50882 2_2_06D50882
Source: C:\Windows\explorer.exe Code function: 2_2_06D48072 2_2_06D48072
Source: C:\Windows\explorer.exe Code function: 2_2_06D48069 2_2_06D48069
Source: C:\Windows\explorer.exe Code function: 2_2_06D54A0C 2_2_06D54A0C
Source: C:\Windows\explorer.exe Code function: 2_2_06D4F152 2_2_06D4F152
Source: C:\Windows\explorer.exe Code function: 2_2_06D4CB1F 2_2_06D4CB1F
Source: C:\Windows\explorer.exe Code function: 2_2_06D4CB22 2_2_06D4CB22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6D466 6_2_04F6D466
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB841F 6_2_04EB841F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EBD5E0 6_2_04EBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F725DD 6_2_04F725DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED2581 6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F71D55 6_2_04F71D55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EA0D20 6_2_04EA0D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F72D07 6_2_04F72D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F72EF7 6_2_04F72EF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EC6E30 6_2_04EC6E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6D616 6_2_04F6D616
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F71FF1 6_2_04F71FF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F7DFCE 6_2_04F7DFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F728EC 6_2_04F728EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED20A0 6_2_04ED20A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F720A8 6_2_04F720A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EBB090 6_2_04EBB090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F7E824 6_2_04F7E824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECA830 6_2_04ECA830
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61002 6_2_04F61002
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EC99BF 6_2_04EC99BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EC4120 6_2_04EC4120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EAF900 6_2_04EAF900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64AEF 6_2_04F64AEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F722AE 6_2_04F722AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F5FA2B 6_2_04F5FA2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F523E3 6_2_04F523E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6DBD2 6_2_04F6DBD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F603DA 6_2_04F603DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDABD8 6_2_04EDABD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDEBB0 6_2_04EDEBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECAB40 6_2_04ECAB40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F72B28 6_2_04F72B28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECA309 6_2_04ECA309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02D99E40 6_2_02D99E40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02D92FB0 6_2_02D92FB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAD73D 6_2_02DAD73D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAE423 6_2_02DAE423
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02D92D90 6_2_02D92D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02D92D87 6_2_02D92D87
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04EAB150 appears 133 times
Source: C:\Users\user\Desktop\emthree.exe Code function: String function: 00FEB150 appears 124 times
Sample file is different than original file name gathered from version info
Source: emthree.exe Binary or memory string: OriginalFilename vs emthree.exe
Source: emthree.exe, 00000000.00000002.238716419.00000000016B0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs emthree.exe
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMARCUS.dll4 vs emthree.exe
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameB2B.exe4 vs emthree.exe
Source: emthree.exe Binary or memory string: OriginalFilename vs emthree.exe
Source: emthree.exe, 00000001.00000002.276207579.0000000000BBB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs emthree.exe
Source: emthree.exe, 00000001.00000002.276372802.00000000010DF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs emthree.exe
Source: emthree.exe Binary or memory string: OriginalFilename vs emthree.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: sfc.dll Jump to behavior
Yara signature match
Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: emthree.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@4/3
Source: C:\Users\user\Desktop\emthree.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\emthree.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_01
Source: emthree.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\emthree.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: emthree.exe Metadefender: Detection: 35%
Source: emthree.exe ReversingLabs: Detection: 64%
Source: unknown Process created: C:\Users\user\Desktop\emthree.exe 'C:\Users\user\Desktop\emthree.exe'
Source: unknown Process created: C:\Users\user\Desktop\emthree.exe {path}
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\emthree.exe Process created: C:\Users\user\Desktop\emthree.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: emthree.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: emthree.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: emthree.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: emthree.exe, 00000001.00000002.276250317.0000000000FC0000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.490418156.0000000004E80000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: emthree.exe, rundll32.exe
Source: Binary string: rundll32.pdb source: emthree.exe, 00000001.00000002.276125323.0000000000AF0000.00000040.00000001.sdmp
Source: Binary string: rundll32.pdbGCTL source: emthree.exe, 00000001.00000002.276125323.0000000000AF0000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: emthree.exe, Cycle_Jump_Game/Main.cs .Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.emthree.exe.f40000.0.unpack, Cycle_Jump_Game/Main.cs .Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.emthree.exe.f40000.0.unpack, Cycle_Jump_Game/Main.cs .Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.emthree.exe.460000.0.unpack, Cycle_Jump_Game/Main.cs .Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.emthree.exe.460000.1.unpack, Cycle_Jump_Game/Main.cs .Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xCD1766EF [Fri Jan 13 19:15:59 2079 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041D0E2 push eax; ret 1_2_0041D0E8
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041D0EB push eax; ret 1_2_0041D152
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041D095 push eax; ret 1_2_0041D0E8
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041D14C push eax; ret 1_2_0041D152
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_004082B3 push ebp; ret 1_2_004082B6
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0040E404 push edx; ret 1_2_0040E40F
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0041ECE9 push esp; ret 1_2_0041ECEA
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0103D0D1 push ecx; ret 1_2_0103D0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EFD0D1 push ecx; ret 6_2_04EFD0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02D982B3 push ebp; ret 6_2_02D982B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAD0EB push eax; ret 6_2_02DAD152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAD0E2 push eax; ret 6_2_02DAD0E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAD095 push eax; ret 6_2_02DAD0E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAD14C push eax; ret 6_2_02DAD152
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02DAECE9 push esp; ret 6_2_02DAECEA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02D9E404 push edx; ret 6_2_02D9E40F
Source: initial sample Static PE information: section name: .text entropy: 7.70662287757

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xEA
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: emthree.exe PID: 4600, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\emthree.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\emthree.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000002D998E4 second address: 0000000002D998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000002D99B5E second address: 0000000002D99B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\emthree.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\emthree.exe Window / User API: threadDelayed 368 Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Window / User API: threadDelayed 820 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\emthree.exe TID: 4612 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe TID: 6000 Thread sleep time: -41500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe TID: 2872 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1268 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1268 Thread sleep time: -70000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000002.00000000.260477578.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000002.494634416.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp Binary or memory string: vmware
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000002.00000000.241832967.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.260992522.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.253126007.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000002.00000000.260992522.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp Binary or memory string: VMware
Source: emthree.exe, 00000000.00000002.239603549.0000000003530000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: emthree.exe, 00000000.00000002.240074394.000000000387D000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.258991839.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\emthree.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\emthree.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0040ACD0 LdrLoadDll, 1_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE58EC mov eax, dword ptr fs:[00000030h] 1_2_00FE58EC
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h] 1_2_00FE40E1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h] 1_2_00FE40E1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE40E1 mov eax, dword ptr fs:[00000030h] 1_2_00FE40E1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h] 1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h] 1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h] 1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01004120 mov eax, dword ptr fs:[00000030h] 1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01004120 mov ecx, dword ptr fs:[00000030h] 1_2_01004120
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101513A mov eax, dword ptr fs:[00000030h] 1_2_0101513A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101513A mov eax, dword ptr fs:[00000030h] 1_2_0101513A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100B944 mov eax, dword ptr fs:[00000030h] 1_2_0100B944
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100B944 mov eax, dword ptr fs:[00000030h] 1_2_0100B944
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9080 mov eax, dword ptr fs:[00000030h] 1_2_00FE9080
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100C182 mov eax, dword ptr fs:[00000030h] 1_2_0100C182
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101A185 mov eax, dword ptr fs:[00000030h] 1_2_0101A185
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012990 mov eax, dword ptr fs:[00000030h] 1_2_01012990
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010669A6 mov eax, dword ptr fs:[00000030h] 1_2_010669A6
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010161A0 mov eax, dword ptr fs:[00000030h] 1_2_010161A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010161A0 mov eax, dword ptr fs:[00000030h] 1_2_010161A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h] 1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h] 1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h] 1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A49A4 mov eax, dword ptr fs:[00000030h] 1_2_010A49A4
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h] 1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h] 1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h] 1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010651BE mov eax, dword ptr fs:[00000030h] 1_2_010651BE
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov ecx, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010099BF mov eax, dword ptr fs:[00000030h] 1_2_010099BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h] 1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h] 1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h] 1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFB02A mov eax, dword ptr fs:[00000030h] 1_2_00FFB02A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010741E8 mov eax, dword ptr fs:[00000030h] 1_2_010741E8
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01067016 mov eax, dword ptr fs:[00000030h] 1_2_01067016
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01067016 mov eax, dword ptr fs:[00000030h] 1_2_01067016
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01067016 mov eax, dword ptr fs:[00000030h] 1_2_01067016
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B4015 mov eax, dword ptr fs:[00000030h] 1_2_010B4015
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B4015 mov eax, dword ptr fs:[00000030h] 1_2_010B4015
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00FEB1E1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00FEB1E1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEB1E1 mov eax, dword ptr fs:[00000030h] 1_2_00FEB1E1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h] 1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h] 1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h] 1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h] 1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101002D mov eax, dword ptr fs:[00000030h] 1_2_0101002D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h] 1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h] 1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h] 1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A830 mov eax, dword ptr fs:[00000030h] 1_2_0100A830
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01000050 mov eax, dword ptr fs:[00000030h] 1_2_01000050
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01000050 mov eax, dword ptr fs:[00000030h] 1_2_01000050
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A2073 mov eax, dword ptr fs:[00000030h] 1_2_010A2073
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B1074 mov eax, dword ptr fs:[00000030h] 1_2_010B1074
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01063884 mov eax, dword ptr fs:[00000030h] 1_2_01063884
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01063884 mov eax, dword ptr fs:[00000030h] 1_2_01063884
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEB171 mov eax, dword ptr fs:[00000030h] 1_2_00FEB171
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEB171 mov eax, dword ptr fs:[00000030h] 1_2_00FEB171
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEC962 mov eax, dword ptr fs:[00000030h] 1_2_00FEC962
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h] 1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h] 1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h] 1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h] 1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h] 1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010120A0 mov eax, dword ptr fs:[00000030h] 1_2_010120A0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010290AF mov eax, dword ptr fs:[00000030h] 1_2_010290AF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101F0BF mov ecx, dword ptr fs:[00000030h] 1_2_0101F0BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101F0BF mov eax, dword ptr fs:[00000030h] 1_2_0101F0BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101F0BF mov eax, dword ptr fs:[00000030h] 1_2_0101F0BF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0107B8D0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100B8E4 mov eax, dword ptr fs:[00000030h] 1_2_0100B8E4
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100B8E4 mov eax, dword ptr fs:[00000030h] 1_2_0100B8E4
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h] 1_2_00FE9100
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h] 1_2_00FE9100
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9100 mov eax, dword ptr fs:[00000030h] 1_2_00FE9100
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A309 mov eax, dword ptr fs:[00000030h] 1_2_0100A309
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A131B mov eax, dword ptr fs:[00000030h] 1_2_010A131B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00FFAAB0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFAAB0 mov eax, dword ptr fs:[00000030h] 1_2_00FFAAB0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B8B58 mov eax, dword ptr fs:[00000030h] 1_2_010B8B58
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE52A5 mov eax, dword ptr fs:[00000030h] 1_2_00FE52A5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01013B7A mov eax, dword ptr fs:[00000030h] 1_2_01013B7A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01013B7A mov eax, dword ptr fs:[00000030h] 1_2_01013B7A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A138A mov eax, dword ptr fs:[00000030h] 1_2_010A138A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0109D380 mov ecx, dword ptr fs:[00000030h] 1_2_0109D380
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101B390 mov eax, dword ptr fs:[00000030h] 1_2_0101B390
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012397 mov eax, dword ptr fs:[00000030h] 1_2_01012397
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h] 1_2_01014BAD
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h] 1_2_01014BAD
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01014BAD mov eax, dword ptr fs:[00000030h] 1_2_01014BAD
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B5BA5 mov eax, dword ptr fs:[00000030h] 1_2_010B5BA5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h] 1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h] 1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h] 1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE9240 mov eax, dword ptr fs:[00000030h] 1_2_00FE9240
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010653CA mov eax, dword ptr fs:[00000030h] 1_2_010653CA
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010653CA mov eax, dword ptr fs:[00000030h] 1_2_010653CA
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h] 1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h] 1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h] 1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h] 1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h] 1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010103E2 mov eax, dword ptr fs:[00000030h] 1_2_010103E2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEAA16 mov eax, dword ptr fs:[00000030h] 1_2_00FEAA16
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEAA16 mov eax, dword ptr fs:[00000030h] 1_2_00FEAA16
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100DBE9 mov eax, dword ptr fs:[00000030h] 1_2_0100DBE9
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010923E3 mov ecx, dword ptr fs:[00000030h] 1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010923E3 mov ecx, dword ptr fs:[00000030h] 1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010923E3 mov eax, dword ptr fs:[00000030h] 1_2_010923E3
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h] 1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE5210 mov ecx, dword ptr fs:[00000030h] 1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h] 1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE5210 mov eax, dword ptr fs:[00000030h] 1_2_00FE5210
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF8A0A mov eax, dword ptr fs:[00000030h] 1_2_00FF8A0A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01003A1C mov eax, dword ptr fs:[00000030h] 1_2_01003A1C
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AAA16 mov eax, dword ptr fs:[00000030h] 1_2_010AAA16
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AAA16 mov eax, dword ptr fs:[00000030h] 1_2_010AAA16
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100A229 mov eax, dword ptr fs:[00000030h] 1_2_0100A229
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01024A2C mov eax, dword ptr fs:[00000030h] 1_2_01024A2C
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01024A2C mov eax, dword ptr fs:[00000030h] 1_2_01024A2C
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01074257 mov eax, dword ptr fs:[00000030h] 1_2_01074257
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AEA55 mov eax, dword ptr fs:[00000030h] 1_2_010AEA55
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0109B260 mov eax, dword ptr fs:[00000030h] 1_2_0109B260
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0109B260 mov eax, dword ptr fs:[00000030h] 1_2_0109B260
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B8A62 mov eax, dword ptr fs:[00000030h] 1_2_010B8A62
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF1B8F mov eax, dword ptr fs:[00000030h] 1_2_00FF1B8F
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF1B8F mov eax, dword ptr fs:[00000030h] 1_2_00FF1B8F
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0102927A mov eax, dword ptr fs:[00000030h] 1_2_0102927A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101D294 mov eax, dword ptr fs:[00000030h] 1_2_0101D294
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101D294 mov eax, dword ptr fs:[00000030h] 1_2_0101D294
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEDB60 mov ecx, dword ptr fs:[00000030h] 1_2_00FEDB60
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEF358 mov eax, dword ptr fs:[00000030h] 1_2_00FEF358
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101FAB0 mov eax, dword ptr fs:[00000030h] 1_2_0101FAB0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEDB40 mov eax, dword ptr fs:[00000030h] 1_2_00FEDB40
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012ACB mov eax, dword ptr fs:[00000030h] 1_2_01012ACB
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012AE4 mov eax, dword ptr fs:[00000030h] 1_2_01012AE4
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4AEF mov eax, dword ptr fs:[00000030h] 1_2_010A4AEF
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0106A537 mov eax, dword ptr fs:[00000030h] 1_2_0106A537
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AE539 mov eax, dword ptr fs:[00000030h] 1_2_010AE539
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h] 1_2_01014D3B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h] 1_2_01014D3B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01014D3B mov eax, dword ptr fs:[00000030h] 1_2_01014D3B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B8D34 mov eax, dword ptr fs:[00000030h] 1_2_010B8D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01023D43 mov eax, dword ptr fs:[00000030h] 1_2_01023D43
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01063540 mov eax, dword ptr fs:[00000030h] 1_2_01063540
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01093D40 mov eax, dword ptr fs:[00000030h] 1_2_01093D40
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01007D50 mov eax, dword ptr fs:[00000030h] 1_2_01007D50
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF849B mov eax, dword ptr fs:[00000030h] 1_2_00FF849B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100C577 mov eax, dword ptr fs:[00000030h] 1_2_0100C577
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100C577 mov eax, dword ptr fs:[00000030h] 1_2_0100C577
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h] 1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h] 1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h] 1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01012581 mov eax, dword ptr fs:[00000030h] 1_2_01012581
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101FD9B mov eax, dword ptr fs:[00000030h] 1_2_0101FD9B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101FD9B mov eax, dword ptr fs:[00000030h] 1_2_0101FD9B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010135A1 mov eax, dword ptr fs:[00000030h] 1_2_010135A1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B05AC mov eax, dword ptr fs:[00000030h] 1_2_010B05AC
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B05AC mov eax, dword ptr fs:[00000030h] 1_2_010B05AC
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h] 1_2_01011DB5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h] 1_2_01011DB5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01011DB5 mov eax, dword ptr fs:[00000030h] 1_2_01011DB5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h] 1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h] 1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h] 1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066DC9 mov ecx, dword ptr fs:[00000030h] 1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h] 1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066DC9 mov eax, dword ptr fs:[00000030h] 1_2_01066DC9
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AFDE2 mov eax, dword ptr fs:[00000030h] 1_2_010AFDE2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01098DF1 mov eax, dword ptr fs:[00000030h] 1_2_01098DF1
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B740D mov eax, dword ptr fs:[00000030h] 1_2_010B740D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B740D mov eax, dword ptr fs:[00000030h] 1_2_010B740D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B740D mov eax, dword ptr fs:[00000030h] 1_2_010B740D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1C06 mov eax, dword ptr fs:[00000030h] 1_2_010A1C06
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h] 1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h] 1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h] 1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066C0A mov eax, dword ptr fs:[00000030h] 1_2_01066C0A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00FFD5E0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFD5E0 mov eax, dword ptr fs:[00000030h] 1_2_00FFD5E0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101BC2C mov eax, dword ptr fs:[00000030h] 1_2_0101BC2C
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101A44B mov eax, dword ptr fs:[00000030h] 1_2_0101A44B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107C450 mov eax, dword ptr fs:[00000030h] 1_2_0107C450
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107C450 mov eax, dword ptr fs:[00000030h] 1_2_0107C450
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100746D mov eax, dword ptr fs:[00000030h] 1_2_0100746D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE2D8A mov eax, dword ptr fs:[00000030h] 1_2_00FE2D8A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101AC7B mov eax, dword ptr fs:[00000030h] 1_2_0101AC7B
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A4496 mov eax, dword ptr fs:[00000030h] 1_2_010A4496
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF3D34 mov eax, dword ptr fs:[00000030h] 1_2_00FF3D34
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEAD30 mov eax, dword ptr fs:[00000030h] 1_2_00FEAD30
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B8CD6 mov eax, dword ptr fs:[00000030h] 1_2_010B8CD6
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A14FB mov eax, dword ptr fs:[00000030h] 1_2_010A14FB
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h] 1_2_01066CF0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h] 1_2_01066CF0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01066CF0 mov eax, dword ptr fs:[00000030h] 1_2_01066CF0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B070D mov eax, dword ptr fs:[00000030h] 1_2_010B070D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B070D mov eax, dword ptr fs:[00000030h] 1_2_010B070D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101A70E mov eax, dword ptr fs:[00000030h] 1_2_0101A70E
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101A70E mov eax, dword ptr fs:[00000030h] 1_2_0101A70E
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100F716 mov eax, dword ptr fs:[00000030h] 1_2_0100F716
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107FF10 mov eax, dword ptr fs:[00000030h] 1_2_0107FF10
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107FF10 mov eax, dword ptr fs:[00000030h] 1_2_0107FF10
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF76E2 mov eax, dword ptr fs:[00000030h] 1_2_00FF76E2
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101E730 mov eax, dword ptr fs:[00000030h] 1_2_0101E730
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100B73D mov eax, dword ptr fs:[00000030h] 1_2_0100B73D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100B73D mov eax, dword ptr fs:[00000030h] 1_2_0100B73D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B8F6A mov eax, dword ptr fs:[00000030h] 1_2_010B8F6A
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF766D mov eax, dword ptr fs:[00000030h] 1_2_00FF766D
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01067794 mov eax, dword ptr fs:[00000030h] 1_2_01067794
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01067794 mov eax, dword ptr fs:[00000030h] 1_2_01067794
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01067794 mov eax, dword ptr fs:[00000030h] 1_2_01067794
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF7E41 mov eax, dword ptr fs:[00000030h] 1_2_00FF7E41
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEE620 mov eax, dword ptr fs:[00000030h] 1_2_00FEE620
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010237F5 mov eax, dword ptr fs:[00000030h] 1_2_010237F5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h] 1_2_00FEC600
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h] 1_2_00FEC600
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FEC600 mov eax, dword ptr fs:[00000030h] 1_2_00FEC600
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01018E00 mov eax, dword ptr fs:[00000030h] 1_2_01018E00
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010A1608 mov eax, dword ptr fs:[00000030h] 1_2_010A1608
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101A61C mov eax, dword ptr fs:[00000030h] 1_2_0101A61C
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0101A61C mov eax, dword ptr fs:[00000030h] 1_2_0101A61C
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0109FE3F mov eax, dword ptr fs:[00000030h] 1_2_0109FE3F
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AAE44 mov eax, dword ptr fs:[00000030h] 1_2_010AAE44
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010AAE44 mov eax, dword ptr fs:[00000030h] 1_2_010AAE44
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FF8794 mov eax, dword ptr fs:[00000030h] 1_2_00FF8794
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h] 1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h] 1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h] 1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h] 1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0100AE73 mov eax, dword ptr fs:[00000030h] 1_2_0100AE73
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0107FE87 mov eax, dword ptr fs:[00000030h] 1_2_0107FE87
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFFF60 mov eax, dword ptr fs:[00000030h] 1_2_00FFFF60
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010646A7 mov eax, dword ptr fs:[00000030h] 1_2_010646A7
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h] 1_2_010B0EA5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h] 1_2_010B0EA5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B0EA5 mov eax, dword ptr fs:[00000030h] 1_2_010B0EA5
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FFEF40 mov eax, dword ptr fs:[00000030h] 1_2_00FFEF40
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_01028EC7 mov eax, dword ptr fs:[00000030h] 1_2_01028EC7
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_0109FEC0 mov eax, dword ptr fs:[00000030h] 1_2_0109FEC0
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010136CC mov eax, dword ptr fs:[00000030h] 1_2_010136CC
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE4F2E mov eax, dword ptr fs:[00000030h] 1_2_00FE4F2E
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_00FE4F2E mov eax, dword ptr fs:[00000030h] 1_2_00FE4F2E
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010B8ED6 mov eax, dword ptr fs:[00000030h] 1_2_010B8ED6
Source: C:\Users\user\Desktop\emthree.exe Code function: 1_2_010116E0 mov ecx, dword ptr fs:[00000030h] 1_2_010116E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h] 6_2_04F26CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h] 6_2_04F26CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26CF0 mov eax, dword ptr fs:[00000030h] 6_2_04F26CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F614FB mov eax, dword ptr fs:[00000030h] 6_2_04F614FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F78CD6 mov eax, dword ptr fs:[00000030h] 6_2_04F78CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F64496 mov eax, dword ptr fs:[00000030h] 6_2_04F64496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB849B mov eax, dword ptr fs:[00000030h] 6_2_04EB849B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EC746D mov eax, dword ptr fs:[00000030h] 6_2_04EC746D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDAC7B mov eax, dword ptr fs:[00000030h] 6_2_04EDAC7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F3C450 mov eax, dword ptr fs:[00000030h] 6_2_04F3C450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F3C450 mov eax, dword ptr fs:[00000030h] 6_2_04F3C450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDA44B mov eax, dword ptr fs:[00000030h] 6_2_04EDA44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDBC2C mov eax, dword ptr fs:[00000030h] 6_2_04EDBC2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F61C06 mov eax, dword ptr fs:[00000030h] 6_2_04F61C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h] 6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h] 6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h] 6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26C0A mov eax, dword ptr fs:[00000030h] 6_2_04F26C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h] 6_2_04F7740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h] 6_2_04F7740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F7740D mov eax, dword ptr fs:[00000030h] 6_2_04F7740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F58DF1 mov eax, dword ptr fs:[00000030h] 6_2_04F58DF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EBD5E0 mov eax, dword ptr fs:[00000030h] 6_2_04EBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EBD5E0 mov eax, dword ptr fs:[00000030h] 6_2_04EBD5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h] 6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h] 6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h] 6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6FDE2 mov eax, dword ptr fs:[00000030h] 6_2_04F6FDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h] 6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h] 6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h] 6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26DC9 mov ecx, dword ptr fs:[00000030h] 6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h] 6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F26DC9 mov eax, dword ptr fs:[00000030h] 6_2_04F26DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED35A1 mov eax, dword ptr fs:[00000030h] 6_2_04ED35A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h] 6_2_04ED1DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h] 6_2_04ED1DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED1DB5 mov eax, dword ptr fs:[00000030h] 6_2_04ED1DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F705AC mov eax, dword ptr fs:[00000030h] 6_2_04F705AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F705AC mov eax, dword ptr fs:[00000030h] 6_2_04F705AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h] 6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h] 6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h] 6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h] 6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EA2D8A mov eax, dword ptr fs:[00000030h] 6_2_04EA2D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h] 6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h] 6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h] 6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED2581 mov eax, dword ptr fs:[00000030h] 6_2_04ED2581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h] 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h] 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h] 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h] 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h] 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h] 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F62D82 mov eax, dword ptr fs:[00000030h] 6_2_04F62D82
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDFD9B mov eax, dword ptr fs:[00000030h] 6_2_04EDFD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EDFD9B mov eax, dword ptr fs:[00000030h] 6_2_04EDFD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECC577 mov eax, dword ptr fs:[00000030h] 6_2_04ECC577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECC577 mov eax, dword ptr fs:[00000030h] 6_2_04ECC577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE3D43 mov eax, dword ptr fs:[00000030h] 6_2_04EE3D43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F23540 mov eax, dword ptr fs:[00000030h] 6_2_04F23540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F53D40 mov eax, dword ptr fs:[00000030h] 6_2_04F53D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EC7D50 mov eax, dword ptr fs:[00000030h] 6_2_04EC7D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F78D34 mov eax, dword ptr fs:[00000030h] 6_2_04F78D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F2A537 mov eax, dword ptr fs:[00000030h] 6_2_04F2A537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F6E539 mov eax, dword ptr fs:[00000030h] 6_2_04F6E539
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h] 6_2_04ED4D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h] 6_2_04ED4D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED4D3B mov eax, dword ptr fs:[00000030h] 6_2_04ED4D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EAAD30 mov eax, dword ptr fs:[00000030h] 6_2_04EAAD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB3D34 mov eax, dword ptr fs:[00000030h] 6_2_04EB3D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB76E2 mov eax, dword ptr fs:[00000030h] 6_2_04EB76E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED16E0 mov ecx, dword ptr fs:[00000030h] 6_2_04ED16E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F78ED6 mov eax, dword ptr fs:[00000030h] 6_2_04F78ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ED36CC mov eax, dword ptr fs:[00000030h] 6_2_04ED36CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EE8EC7 mov eax, dword ptr fs:[00000030h] 6_2_04EE8EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F5FEC0 mov eax, dword ptr fs:[00000030h] 6_2_04F5FEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h] 6_2_04F70EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h] 6_2_04F70EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F70EA5 mov eax, dword ptr fs:[00000030h] 6_2_04F70EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F246A7 mov eax, dword ptr fs:[00000030h] 6_2_04F246A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04F3FE87 mov eax, dword ptr fs:[00000030h] 6_2_04F3FE87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04EB766D mov eax, dword ptr fs:[00000030h] 6_2_04EB766D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h] 6_2_04ECAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h] 6_2_04ECAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h] 6_2_04ECAE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04ECAE73 mov eax, dword ptr fs:[00000030h] 6_2_04ECAE73
Enables debug privileges
Source: C:\Users\user\Desktop\emthree.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 23.27.109.19 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.154.50.243 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\emthree.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\emthree.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 3472 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\emthree.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\emthree.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: AC0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\emthree.exe Process created: C:\Users\user\Desktop\emthree.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\emthree.exe' Jump to behavior
Source: explorer.exe, 00000002.00000002.503348798.0000000005EA0000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000002.00000002.488072734.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.242251394.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.490167747.0000000003730000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Users\user\Desktop\emthree.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\emthree.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.275755986.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489611416.0000000002D90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276071726.0000000000AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.240137106.00000000044F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.489786032.0000000003040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.276033379.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.488444370.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.emthree.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.emthree.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323574 Sample: emthree.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 7 other signatures 2->42 10 emthree.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\emthree.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 emthree.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 porncamslivechat.com 184.154.50.243, 49746, 80 SINGLEHOP-LLCUS United States 17->30 32 www.amarilloautoexpress.com 23.27.109.19, 49747, 80 EGIHOSTINGUS United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 rundll32.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.27.109.19
 unknown United States
18779 EGIHOSTINGUS true
184.154.50.243
 unknown United States
32475 SINGLEHOP-LLCUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.amarilloautoexpress.com 23.27.109.19 true
porncamslivechat.com 184.154.50.243 true
www.porncamslivechat.com unknown unknown
www.asojebu.com unknown unknown
www.haircuressteampod.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.porncamslivechat.com/unx5/?YBZpk4k0=aP/H6rv5dFlIxT1BkbsZYq0qqc+q/KR6FDazEtWbPmCTekqgSoQQ9LKqFpQ/1cw8Q+Tu&Wt=LhnLHro0q true
  • Avira URL Cloud: safe
 unknown