Analysis Report 4pFzkB6ePK.exe

Overview

General Information

Sample Name: 4pFzkB6ePK.exe
Analysis ID: 356512
MD5: 6dd83e20f43a9bd2e136fcd77131f7e4
SHA1: 2d816c160bba20f5e3989af02985118e42a4fe70
SHA256: 5babb878615fbf3b56008f4d7becccdb0a316e3eecb95ce99ea2a6c9d5a8a19a
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack Malware Configuration Extractor: FormBook {"C2 list": ["www.ntljcb.com/tub0/"], "decoy": ["playgeazie.com", "blessedmindset.net", "alejofaj.com", "electricbiketechnologes.com", "jmrrealestatellc.com", "alphafathers.com", "trinityhousegoa.com", "trainingrealestateagents.com", "esarpfabrikasi.com", "bookgallary.com", "centralpark-mca.net", "killthemessengermedia.com", "ayderthermal.com", "adsdito.com", "findmy-fmi.info", "1030aponiplace.com", "nachbau.net", "richtig-zuhause-lernen.com", "wuovcoizph.net", "avrplayground.com", "miamiimportca.com", "henrysmassey.com", "truthish.fyi", "serildaspeaks.com", "the-tagteam.com", "s-keer.com", "millersgreenacresfarm.com", "bodytruffle.com", "djtlp.com", "buystockswithcreditcard.com", "estevezcosmetics.com", "fsqlgt.com", "rochellparente.com", "elepope.com", "makiyato.com", "standoniner.com", "onemicandabunchofothers.com", "actranslate.com", "jewelstomorejewels.com", "xn--d1afwajbhp.site", "gogomarketing.xyz", "plietea.club", "carbon-foam.com", "gidanpacouture.com", "covidwatcharizona.com", "truvizi.com", "castleshortage.com", "afromesagroup.com", "specter.one", "mac-compost.com", "spicyfilm.com", "aslanforklift.com", "oka.one", "myjewely.com", "floridashooters.com", "2seamapparel.com", "europeanctosummit.com", "beyond-cultures.com", "cowbex.info", "amandawilsonfamilylaw.com", "whereisdalie.com", "statuniverse.com", "nobotsland.net", "dateatither.com"]}
Multi AV Scanner detection for submitted file
Source: 4pFzkB6ePK.exe Virustotal: Detection: 22% Perma Link
Source: 4pFzkB6ePK.exe ReversingLabs: Detection: 27%
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: 4pFzkB6ePK.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 4pFzkB6ePK.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: 4pFzkB6ePK.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: msiexec.pdb source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
Source: Binary string: msiexec.pdbGCTL source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: 4pFzkB6ePK.exe, 00000005.00000002.285884616.0000000001A2F000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.475468589.0000000004BD0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 4pFzkB6ePK.exe, msiexec.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 4x nop then pop esi 5_2_0041582E
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 4x nop then pop edi 5_2_004162A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 4x nop then pop edi 5_2_0040C3DC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop esi 11_2_00CE582E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 11_2_00CE62A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 11_2_00CDC3DC

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 160.153.128.38:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 160.153.128.38:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 160.153.128.38:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 194.59.164.91:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 194.59.164.91:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 194.59.164.91:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.ntljcb.com/tub0/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=cydGkSUU+hbxwnLMCHdxs2HTbhyeOBhf6VDIiN7OyAb+9b2I/6QPcL+NYbrcHhStME+j&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.nachbau.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=0g3BJlW7sTphQ/5j4Tdr5dYYoDFSx+aDomq4rDoP20bT0mosHTIKHGclLGRJ8AP1BBBd&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.carbon-foam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=Oc9Sv6ZsHiz1lEkHjT4sUkzXc6kK6TfJoTMn/p3mX09SqIZJtOPjrYy4Z3tQQ5aTicNK&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.aslanforklift.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=dN2zk3vDrvOSMWpoBKxdiHLfh4G+CBzvqQ9gZV3x5lRoIc3e6NmSOgfKn1bO4v69I6lv&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.ntljcb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: C:\Windows\explorer.exe Code function: 6_2_0642A302 getaddrinfo,setsockopt,recv, 6_2_0642A302
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=cydGkSUU+hbxwnLMCHdxs2HTbhyeOBhf6VDIiN7OyAb+9b2I/6QPcL+NYbrcHhStME+j&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.nachbau.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=0g3BJlW7sTphQ/5j4Tdr5dYYoDFSx+aDomq4rDoP20bT0mosHTIKHGclLGRJ8AP1BBBd&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.carbon-foam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=Oc9Sv6ZsHiz1lEkHjT4sUkzXc6kK6TfJoTMn/p3mX09SqIZJtOPjrYy4Z3tQQ5aTicNK&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.aslanforklift.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tub0/?0T0hlT=dN2zk3vDrvOSMWpoBKxdiHLfh4G+CBzvqQ9gZV3x5lRoIc3e6NmSOgfKn1bO4v69I6lv&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.ntljcb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.nachbau.net
Source: explorer.exe, 00000006.00000000.253352274.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmp String found in binary or memory: http://www.fsqlgt.com/
Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmp String found in binary or memory: http://www.fsqlgt.com/T0hlT=nrDRCNaQ3GMZq2PvHSeNd5wOe
Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmp String found in binary or memory: http://www.fsqlgt.com/tub0/?0T0hlT=nrDRCNaQ3GMZq2PvHSeNd5wOe
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\explorer.exe Code function: 6_2_06423EB2 OpenClipboard, 6_2_06423EB2
Creates a DirectInput object (often for capturing keystrokes)
Source: 4pFzkB6ePK.exe, 00000002.00000002.227342464.0000000000A60000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: 4pFzkB6ePK.exe, LogIn.cs Long String: Length: 13656
Source: 5.2.4pFzkB6ePK.exe.e40000.1.unpack, LogIn.cs Long String: Length: 13656
Source: 5.0.4pFzkB6ePK.exe.e40000.0.unpack, LogIn.cs Long String: Length: 13656
Contains functionality to call native functions
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_004181B0 NtCreateFile, 5_2_004181B0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00418260 NtReadFile, 5_2_00418260
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_004182E0 NtClose, 5_2_004182E0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00418390 NtAllocateVirtualMemory, 5_2_00418390
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041825A NtReadFile, 5_2_0041825A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_004182AB NtReadFile, 5_2_004182AB
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041838A NtAllocateVirtualMemory, 5_2_0041838A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019799A0 NtCreateSection,LdrInitializeThunk, 5_2_019799A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019795D0 NtClose,LdrInitializeThunk, 5_2_019795D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_01979910
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979540 NtReadFile,LdrInitializeThunk, 5_2_01979540
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019798F0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_019798F0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979840 NtDelayExecution,LdrInitializeThunk, 5_2_01979840
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_01979860
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979780 NtMapViewOfSection,LdrInitializeThunk, 5_2_01979780
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019797A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_019797A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979FE0 NtCreateMutant,LdrInitializeThunk, 5_2_01979FE0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979710 NtQueryInformationToken,LdrInitializeThunk, 5_2_01979710
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019796E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_019796E0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979A00 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_01979A00
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979A20 NtResumeThread,LdrInitializeThunk, 5_2_01979A20
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979A50 NtCreateFile,LdrInitializeThunk, 5_2_01979A50
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_01979660
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019799D0 NtCreateProcessEx, 5_2_019799D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019795F0 NtQueryInformationFile, 5_2_019795F0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0197AD30 NtSetContextThread, 5_2_0197AD30
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979520 NtWaitForSingleObject, 5_2_01979520
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979950 NtQueueApcThread, 5_2_01979950
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979560 NtWriteFile, 5_2_01979560
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019798A0 NtWriteVirtualMemory, 5_2_019798A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979820 NtEnumerateKey, 5_2_01979820
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0197B040 NtSuspendThread, 5_2_0197B040
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0197A3B0 NtGetContextThread, 5_2_0197A3B0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0197A710 NtOpenProcessToken, 5_2_0197A710
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979B00 NtSetValueKey, 5_2_01979B00
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979730 NtQueryVirtualMemory, 5_2_01979730
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979770 NtSetInformationFile, 5_2_01979770
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0197A770 NtOpenThread, 5_2_0197A770
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979760 NtOpenProcess, 5_2_01979760
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979A80 NtOpenDirectoryObject, 5_2_01979A80
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019796D0 NtCreateKey, 5_2_019796D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979610 NtEnumerateValueKey, 5_2_01979610
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979A10 NtQuerySection, 5_2_01979A10
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979650 NtQueryValueKey, 5_2_01979650
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01979670 NtQueryInformationProcess, 5_2_01979670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C395D0 NtClose,LdrInitializeThunk, 11_2_04C395D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39540 NtReadFile,LdrInitializeThunk, 11_2_04C39540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C396D0 NtCreateKey,LdrInitializeThunk, 11_2_04C396D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C396E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_04C396E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39650 NtQueryValueKey,LdrInitializeThunk, 11_2_04C39650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_04C39660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39FE0 NtCreateMutant,LdrInitializeThunk, 11_2_04C39FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39780 NtMapViewOfSection,LdrInitializeThunk, 11_2_04C39780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39710 NtQueryInformationToken,LdrInitializeThunk, 11_2_04C39710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39840 NtDelayExecution,LdrInitializeThunk, 11_2_04C39840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_04C39860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C399A0 NtCreateSection,LdrInitializeThunk, 11_2_04C399A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_04C39910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39A50 NtCreateFile,LdrInitializeThunk, 11_2_04C39A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C395F0 NtQueryInformationFile, 11_2_04C395F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39560 NtWriteFile, 11_2_04C39560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39520 NtWaitForSingleObject, 11_2_04C39520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C3AD30 NtSetContextThread, 11_2_04C3AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39670 NtQueryInformationProcess, 11_2_04C39670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39610 NtEnumerateValueKey, 11_2_04C39610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C397A0 NtUnmapViewOfSection, 11_2_04C397A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39760 NtOpenProcess, 11_2_04C39760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C3A770 NtOpenThread, 11_2_04C3A770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39770 NtSetInformationFile, 11_2_04C39770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C3A710 NtOpenProcessToken, 11_2_04C3A710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39730 NtQueryVirtualMemory, 11_2_04C39730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C398F0 NtReadVirtualMemory, 11_2_04C398F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C398A0 NtWriteVirtualMemory, 11_2_04C398A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C3B040 NtSuspendThread, 11_2_04C3B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39820 NtEnumerateKey, 11_2_04C39820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C399D0 NtCreateProcessEx, 11_2_04C399D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39950 NtQueueApcThread, 11_2_04C39950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39A80 NtOpenDirectoryObject, 11_2_04C39A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39A00 NtProtectVirtualMemory, 11_2_04C39A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39A10 NtQuerySection, 11_2_04C39A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39A20 NtResumeThread, 11_2_04C39A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C3A3B0 NtGetContextThread, 11_2_04C3A3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C39B00 NtSetValueKey, 11_2_04C39B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE81B0 NtCreateFile, 11_2_00CE81B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE82E0 NtClose, 11_2_00CE82E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE8260 NtReadFile, 11_2_00CE8260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE8390 NtAllocateVirtualMemory, 11_2_00CE8390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE82AB NtReadFile, 11_2_00CE82AB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE825A NtReadFile, 11_2_00CE825A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE838A NtAllocateVirtualMemory, 11_2_00CE838A
Detected potential crypto function
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 2_2_00A1C508 2_2_00A1C508
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 2_2_00A19990 2_2_00A19990
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041A296 5_2_0041A296
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041BB66 5_2_0041BB66
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041CB72 5_2_0041CB72
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041CB75 5_2_0041CB75
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00408C50 5_2_00408C50
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00402D87 5_2_00402D87
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041B61B 5_2_0041B61B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041BEB6 5_2_0041BEB6
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962581 5_2_01962581
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194D5E0 5_2_0194D5E0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A025DD 5_2_01A025DD
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193F900 5_2_0193F900
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A02D07 5_2_01A02D07
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01930D20 5_2_01930D20
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01954120 5_2_01954120
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A01D55 5_2_01A01D55
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194B090 5_2_0194B090
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A020A8 5_2_01A020A8
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019620A0 5_2_019620A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A028EC 5_2_01A028EC
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194841F 5_2_0194841F
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1002 5_2_019F1002
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196EBB0 5_2_0196EBB0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FDBD2 5_2_019FDBD2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A01FF1 5_2_01A01FF1
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A02B28 5_2_01A02B28
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A022AE 5_2_01A022AE
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A02EF7 5_2_01A02EF7
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01956E30 5_2_01956E30
Source: C:\Windows\explorer.exe Code function: 6_2_06427062 6_2_06427062
Source: C:\Windows\explorer.exe Code function: 6_2_064228F9 6_2_064228F9
Source: C:\Windows\explorer.exe Code function: 6_2_064252FF 6_2_064252FF
Source: C:\Windows\explorer.exe Code function: 6_2_06423362 6_2_06423362
Source: C:\Windows\explorer.exe Code function: 6_2_06422902 6_2_06422902
Source: C:\Windows\explorer.exe Code function: 6_2_06425302 6_2_06425302
Source: C:\Windows\explorer.exe Code function: 6_2_064287C7 6_2_064287C7
Source: C:\Windows\explorer.exe Code function: 6_2_064295B2 6_2_064295B2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBD466 11_2_04CBD466
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0841F 11_2_04C0841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC25DD 11_2_04CC25DD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0D5E0 11_2_04C0D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC1D55 11_2_04CC1D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF0D20 11_2_04BF0D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC2D07 11_2_04CC2D07
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC2EF7 11_2_04CC2EF7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBD616 11_2_04CBD616
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C16E30 11_2_04C16E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CCDFCE 11_2_04CCDFCE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC1FF1 11_2_04CC1FF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC28EC 11_2_04CC28EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0B090 11_2_04C0B090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C220A0 11_2_04C220A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC20A8 11_2_04CC20A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1002 11_2_04CB1002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CCE824 11_2_04CCE824
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFF900 11_2_04BFF900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C14120 11_2_04C14120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC22AE 11_2_04CC22AE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CAFA2B 11_2_04CAFA2B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB03DA 11_2_04CB03DA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBDBD2 11_2_04CBDBD2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2EBB0 11_2_04C2EBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1AB40 11_2_04C1AB40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC2B28 11_2_04CC2B28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CEA296 11_2_00CEA296
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CECB75 11_2_00CECB75
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CECB72 11_2_00CECB72
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CD8C50 11_2_00CD8C50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CD2D87 11_2_00CD2D87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CD2D90 11_2_00CD2D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CD2FB0 11_2_00CD2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: String function: 0193B150 appears 35 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 04BFB150 appears 45 times
Sample file is different than original file name gathered from version info
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameriched20.dllp( vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAsyncState.dllF vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000002.00000002.227342464.0000000000A60000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000002.00000002.226621287.00000000002F8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000002.00000002.234024022.00000000086C0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000002.00000002.233518912.0000000008500000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000005.00000000.225714559.0000000000EB8000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000005.00000002.285659789.000000000169B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemsiexec.exeX vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe, 00000005.00000002.285884616.0000000001A2F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 4pFzkB6ePK.exe
Source: 4pFzkB6ePK.exe Binary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: 4pFzkB6ePK.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4pFzkB6ePK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 4pFzkB6ePK.exe, LogIn.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.2.4pFzkB6ePK.exe.e40000.1.unpack, LogIn.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: 5.0.4pFzkB6ePK.exe.e40000.0.unpack, LogIn.cs Base64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@9/5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4pFzkB6ePK.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
Source: 4pFzkB6ePK.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 4pFzkB6ePK.exe Virustotal: Detection: 22%
Source: 4pFzkB6ePK.exe ReversingLabs: Detection: 27%
Source: unknown Process created: C:\Users\user\Desktop\4pFzkB6ePK.exe 'C:\Users\user\Desktop\4pFzkB6ePK.exe'
Source: unknown Process created: C:\Users\user\Desktop\4pFzkB6ePK.exe C:\Users\user\Desktop\4pFzkB6ePK.exe
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4pFzkB6ePK.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process created: C:\Users\user\Desktop\4pFzkB6ePK.exe C:\Users\user\Desktop\4pFzkB6ePK.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4pFzkB6ePK.exe' Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 4pFzkB6ePK.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 4pFzkB6ePK.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msiexec.pdb source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
Source: Binary string: msiexec.pdbGCTL source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: 4pFzkB6ePK.exe, 00000005.00000002.285884616.0000000001A2F000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.475468589.0000000004BD0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 4pFzkB6ePK.exe, msiexec.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 4pFzkB6ePK.exe, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.2.4pFzkB6ePK.exe.e40000.1.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 5.0.4pFzkB6ePK.exe.e40000.0.unpack, BoundHandle.cs .Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041B3F2 push eax; ret 5_2_0041B3F8
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041B3FB push eax; ret 5_2_0041B462
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041B3A5 push eax; ret 5_2_0041B3F8
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041B45C push eax; ret 5_2_0041B462
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0041C468 push ss; iretd 5_2_0041C469
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00415FB5 push eax; retf 5_2_00415FBF
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0198D0D1 push ecx; ret 5_2_0198D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C4D0D1 push ecx; ret 11_2_04C4D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CEB3FB push eax; ret 11_2_00CEB462
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CEB3F2 push eax; ret 11_2_00CEB3F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CEB3A5 push eax; ret 11_2_00CEB3F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CEB45C push eax; ret 11_2_00CEB462
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CEC468 push ss; iretd 11_2_00CEC469
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_00CE5FB5 push eax; retf 11_2_00CE5FBF
Source: initial sample Static PE information: section name: .text entropy: 7.42579480649
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4pFzkB6ePK.exe PID: 6484, type: MEMORY
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.26d4938.1.raw.unpack, type: UNPACKEDPE
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 0000000000CD85E4 second address: 0000000000CD85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 0000000000CD896E second address: 0000000000CD8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0 Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_004088A0 rdtsc 5_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe TID: 6488 Thread sleep time: -103855s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe TID: 6528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6696 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 6436 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: 4pFzkB6ePK.exe, 00000002.00000002.233013059.00000000083F5000.00000004.00000001.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000006.00000000.252565656.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.252565656.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.251608413.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.252167795.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.244556737.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: msiexec.exe, 0000000B.00000002.474888659.000000000322B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000000.252565656.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.252565656.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.252683584.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000002.488112370.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000002.471816692.0000000001398000.00000004.00000020.sdmp Binary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&I
Source: explorer.exe, 00000006.00000000.251608413.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.251608413.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 4pFzkB6ePK.exe, 00000002.00000002.233013059.00000000083F5000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMware9XBLNAE2Win32_VideoControllerLB3K12PUVideoController120060621000000.000000-00067325669display.infMSBDAV6AP371YPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsPHALFHV_
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.251608413.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_004088A0 rdtsc 5_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_00409B10 LdrLoadDll, 5_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962990 mov eax, dword ptr fs:[00000030h] 5_2_01962990
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A005AC mov eax, dword ptr fs:[00000030h] 5_2_01A005AC
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A005AC mov eax, dword ptr fs:[00000030h] 5_2_01A005AC
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196FD9B mov eax, dword ptr fs:[00000030h] 5_2_0196FD9B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196FD9B mov eax, dword ptr fs:[00000030h] 5_2_0196FD9B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196A185 mov eax, dword ptr fs:[00000030h] 5_2_0196A185
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195C182 mov eax, dword ptr fs:[00000030h] 5_2_0195C182
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962581 mov eax, dword ptr fs:[00000030h] 5_2_01962581
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962581 mov eax, dword ptr fs:[00000030h] 5_2_01962581
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962581 mov eax, dword ptr fs:[00000030h] 5_2_01962581
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962581 mov eax, dword ptr fs:[00000030h] 5_2_01962581
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01932D8A mov eax, dword ptr fs:[00000030h] 5_2_01932D8A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01932D8A mov eax, dword ptr fs:[00000030h] 5_2_01932D8A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01932D8A mov eax, dword ptr fs:[00000030h] 5_2_01932D8A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01932D8A mov eax, dword ptr fs:[00000030h] 5_2_01932D8A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01932D8A mov eax, dword ptr fs:[00000030h] 5_2_01932D8A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01961DB5 mov eax, dword ptr fs:[00000030h] 5_2_01961DB5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01961DB5 mov eax, dword ptr fs:[00000030h] 5_2_01961DB5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01961DB5 mov eax, dword ptr fs:[00000030h] 5_2_01961DB5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B51BE mov eax, dword ptr fs:[00000030h] 5_2_019B51BE
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B51BE mov eax, dword ptr fs:[00000030h] 5_2_019B51BE
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B51BE mov eax, dword ptr fs:[00000030h] 5_2_019B51BE
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B51BE mov eax, dword ptr fs:[00000030h] 5_2_019B51BE
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019661A0 mov eax, dword ptr fs:[00000030h] 5_2_019661A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019661A0 mov eax, dword ptr fs:[00000030h] 5_2_019661A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019635A1 mov eax, dword ptr fs:[00000030h] 5_2_019635A1
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B69A6 mov eax, dword ptr fs:[00000030h] 5_2_019B69A6
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6DC9 mov eax, dword ptr fs:[00000030h] 5_2_019B6DC9
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6DC9 mov eax, dword ptr fs:[00000030h] 5_2_019B6DC9
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6DC9 mov eax, dword ptr fs:[00000030h] 5_2_019B6DC9
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6DC9 mov ecx, dword ptr fs:[00000030h] 5_2_019B6DC9
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6DC9 mov eax, dword ptr fs:[00000030h] 5_2_019B6DC9
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6DC9 mov eax, dword ptr fs:[00000030h] 5_2_019B6DC9
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019E8DF1 mov eax, dword ptr fs:[00000030h] 5_2_019E8DF1
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0193B1E1
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0193B1E1
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0193B1E1
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019C41E8 mov eax, dword ptr fs:[00000030h] 5_2_019C41E8
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0194D5E0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0194D5E0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FFDE2 mov eax, dword ptr fs:[00000030h] 5_2_019FFDE2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FFDE2 mov eax, dword ptr fs:[00000030h] 5_2_019FFDE2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FFDE2 mov eax, dword ptr fs:[00000030h] 5_2_019FFDE2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FFDE2 mov eax, dword ptr fs:[00000030h] 5_2_019FFDE2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939100 mov eax, dword ptr fs:[00000030h] 5_2_01939100
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939100 mov eax, dword ptr fs:[00000030h] 5_2_01939100
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939100 mov eax, dword ptr fs:[00000030h] 5_2_01939100
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A08D34 mov eax, dword ptr fs:[00000030h] 5_2_01A08D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01943D34 mov eax, dword ptr fs:[00000030h] 5_2_01943D34
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193AD30 mov eax, dword ptr fs:[00000030h] 5_2_0193AD30
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FE539 mov eax, dword ptr fs:[00000030h] 5_2_019FE539
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196513A mov eax, dword ptr fs:[00000030h] 5_2_0196513A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196513A mov eax, dword ptr fs:[00000030h] 5_2_0196513A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019BA537 mov eax, dword ptr fs:[00000030h] 5_2_019BA537
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01964D3B mov eax, dword ptr fs:[00000030h] 5_2_01964D3B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01964D3B mov eax, dword ptr fs:[00000030h] 5_2_01964D3B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01964D3B mov eax, dword ptr fs:[00000030h] 5_2_01964D3B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01954120 mov eax, dword ptr fs:[00000030h] 5_2_01954120
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01954120 mov eax, dword ptr fs:[00000030h] 5_2_01954120
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01954120 mov eax, dword ptr fs:[00000030h] 5_2_01954120
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01954120 mov eax, dword ptr fs:[00000030h] 5_2_01954120
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01954120 mov ecx, dword ptr fs:[00000030h] 5_2_01954120
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01957D50 mov eax, dword ptr fs:[00000030h] 5_2_01957D50
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195B944 mov eax, dword ptr fs:[00000030h] 5_2_0195B944
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195B944 mov eax, dword ptr fs:[00000030h] 5_2_0195B944
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01973D43 mov eax, dword ptr fs:[00000030h] 5_2_01973D43
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B3540 mov eax, dword ptr fs:[00000030h] 5_2_019B3540
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193B171 mov eax, dword ptr fs:[00000030h] 5_2_0193B171
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193B171 mov eax, dword ptr fs:[00000030h] 5_2_0193B171
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195C577 mov eax, dword ptr fs:[00000030h] 5_2_0195C577
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195C577 mov eax, dword ptr fs:[00000030h] 5_2_0195C577
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193C962 mov eax, dword ptr fs:[00000030h] 5_2_0193C962
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194849B mov eax, dword ptr fs:[00000030h] 5_2_0194849B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939080 mov eax, dword ptr fs:[00000030h] 5_2_01939080
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B3884 mov eax, dword ptr fs:[00000030h] 5_2_019B3884
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B3884 mov eax, dword ptr fs:[00000030h] 5_2_019B3884
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196F0BF mov ecx, dword ptr fs:[00000030h] 5_2_0196F0BF
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196F0BF mov eax, dword ptr fs:[00000030h] 5_2_0196F0BF
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196F0BF mov eax, dword ptr fs:[00000030h] 5_2_0196F0BF
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019620A0 mov eax, dword ptr fs:[00000030h] 5_2_019620A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019620A0 mov eax, dword ptr fs:[00000030h] 5_2_019620A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019620A0 mov eax, dword ptr fs:[00000030h] 5_2_019620A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019620A0 mov eax, dword ptr fs:[00000030h] 5_2_019620A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019620A0 mov eax, dword ptr fs:[00000030h] 5_2_019620A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019620A0 mov eax, dword ptr fs:[00000030h] 5_2_019620A0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019790AF mov eax, dword ptr fs:[00000030h] 5_2_019790AF
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CB8D0 mov eax, dword ptr fs:[00000030h] 5_2_019CB8D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CB8D0 mov ecx, dword ptr fs:[00000030h] 5_2_019CB8D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CB8D0 mov eax, dword ptr fs:[00000030h] 5_2_019CB8D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CB8D0 mov eax, dword ptr fs:[00000030h] 5_2_019CB8D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CB8D0 mov eax, dword ptr fs:[00000030h] 5_2_019CB8D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CB8D0 mov eax, dword ptr fs:[00000030h] 5_2_019CB8D0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F14FB mov eax, dword ptr fs:[00000030h] 5_2_019F14FB
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6CF0 mov eax, dword ptr fs:[00000030h] 5_2_019B6CF0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6CF0 mov eax, dword ptr fs:[00000030h] 5_2_019B6CF0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6CF0 mov eax, dword ptr fs:[00000030h] 5_2_019B6CF0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A08CD6 mov eax, dword ptr fs:[00000030h] 5_2_01A08CD6
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019358EC mov eax, dword ptr fs:[00000030h] 5_2_019358EC
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B7016 mov eax, dword ptr fs:[00000030h] 5_2_019B7016
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B7016 mov eax, dword ptr fs:[00000030h] 5_2_019B7016
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B7016 mov eax, dword ptr fs:[00000030h] 5_2_019B7016
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6C0A mov eax, dword ptr fs:[00000030h] 5_2_019B6C0A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6C0A mov eax, dword ptr fs:[00000030h] 5_2_019B6C0A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6C0A mov eax, dword ptr fs:[00000030h] 5_2_019B6C0A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B6C0A mov eax, dword ptr fs:[00000030h] 5_2_019B6C0A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1C06 mov eax, dword ptr fs:[00000030h] 5_2_019F1C06
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A0740D mov eax, dword ptr fs:[00000030h] 5_2_01A0740D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A0740D mov eax, dword ptr fs:[00000030h] 5_2_01A0740D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A0740D mov eax, dword ptr fs:[00000030h] 5_2_01A0740D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A04015 mov eax, dword ptr fs:[00000030h] 5_2_01A04015
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A04015 mov eax, dword ptr fs:[00000030h] 5_2_01A04015
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196BC2C mov eax, dword ptr fs:[00000030h] 5_2_0196BC2C
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196002D mov eax, dword ptr fs:[00000030h] 5_2_0196002D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196002D mov eax, dword ptr fs:[00000030h] 5_2_0196002D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196002D mov eax, dword ptr fs:[00000030h] 5_2_0196002D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196002D mov eax, dword ptr fs:[00000030h] 5_2_0196002D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196002D mov eax, dword ptr fs:[00000030h] 5_2_0196002D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194B02A mov eax, dword ptr fs:[00000030h] 5_2_0194B02A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194B02A mov eax, dword ptr fs:[00000030h] 5_2_0194B02A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194B02A mov eax, dword ptr fs:[00000030h] 5_2_0194B02A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194B02A mov eax, dword ptr fs:[00000030h] 5_2_0194B02A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01950050 mov eax, dword ptr fs:[00000030h] 5_2_01950050
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01950050 mov eax, dword ptr fs:[00000030h] 5_2_01950050
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CC450 mov eax, dword ptr fs:[00000030h] 5_2_019CC450
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CC450 mov eax, dword ptr fs:[00000030h] 5_2_019CC450
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A01074 mov eax, dword ptr fs:[00000030h] 5_2_01A01074
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196A44B mov eax, dword ptr fs:[00000030h] 5_2_0196A44B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F2073 mov eax, dword ptr fs:[00000030h] 5_2_019F2073
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195746D mov eax, dword ptr fs:[00000030h] 5_2_0195746D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01948794 mov eax, dword ptr fs:[00000030h] 5_2_01948794
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962397 mov eax, dword ptr fs:[00000030h] 5_2_01962397
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A05BA5 mov eax, dword ptr fs:[00000030h] 5_2_01A05BA5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196B390 mov eax, dword ptr fs:[00000030h] 5_2_0196B390
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B7794 mov eax, dword ptr fs:[00000030h] 5_2_019B7794
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B7794 mov eax, dword ptr fs:[00000030h] 5_2_019B7794
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B7794 mov eax, dword ptr fs:[00000030h] 5_2_019B7794
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F138A mov eax, dword ptr fs:[00000030h] 5_2_019F138A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01941B8F mov eax, dword ptr fs:[00000030h] 5_2_01941B8F
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01941B8F mov eax, dword ptr fs:[00000030h] 5_2_01941B8F
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019ED380 mov ecx, dword ptr fs:[00000030h] 5_2_019ED380
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01964BAD mov eax, dword ptr fs:[00000030h] 5_2_01964BAD
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01964BAD mov eax, dword ptr fs:[00000030h] 5_2_01964BAD
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01964BAD mov eax, dword ptr fs:[00000030h] 5_2_01964BAD
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B53CA mov eax, dword ptr fs:[00000030h] 5_2_019B53CA
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B53CA mov eax, dword ptr fs:[00000030h] 5_2_019B53CA
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019737F5 mov eax, dword ptr fs:[00000030h] 5_2_019737F5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019603E2 mov eax, dword ptr fs:[00000030h] 5_2_019603E2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019603E2 mov eax, dword ptr fs:[00000030h] 5_2_019603E2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019603E2 mov eax, dword ptr fs:[00000030h] 5_2_019603E2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019603E2 mov eax, dword ptr fs:[00000030h] 5_2_019603E2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019603E2 mov eax, dword ptr fs:[00000030h] 5_2_019603E2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019603E2 mov eax, dword ptr fs:[00000030h] 5_2_019603E2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195DBE9 mov eax, dword ptr fs:[00000030h] 5_2_0195DBE9
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195F716 mov eax, dword ptr fs:[00000030h] 5_2_0195F716
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F131B mov eax, dword ptr fs:[00000030h] 5_2_019F131B
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CFF10 mov eax, dword ptr fs:[00000030h] 5_2_019CFF10
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CFF10 mov eax, dword ptr fs:[00000030h] 5_2_019CFF10
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196A70E mov eax, dword ptr fs:[00000030h] 5_2_0196A70E
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196A70E mov eax, dword ptr fs:[00000030h] 5_2_0196A70E
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196E730 mov eax, dword ptr fs:[00000030h] 5_2_0196E730
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A0070D mov eax, dword ptr fs:[00000030h] 5_2_01A0070D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A0070D mov eax, dword ptr fs:[00000030h] 5_2_01A0070D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01934F2E mov eax, dword ptr fs:[00000030h] 5_2_01934F2E
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01934F2E mov eax, dword ptr fs:[00000030h] 5_2_01934F2E
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A08F6A mov eax, dword ptr fs:[00000030h] 5_2_01A08F6A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193F358 mov eax, dword ptr fs:[00000030h] 5_2_0193F358
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193DB40 mov eax, dword ptr fs:[00000030h] 5_2_0193DB40
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194EF40 mov eax, dword ptr fs:[00000030h] 5_2_0194EF40
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01963B7A mov eax, dword ptr fs:[00000030h] 5_2_01963B7A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01963B7A mov eax, dword ptr fs:[00000030h] 5_2_01963B7A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193DB60 mov ecx, dword ptr fs:[00000030h] 5_2_0193DB60
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194FF60 mov eax, dword ptr fs:[00000030h] 5_2_0194FF60
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A08B58 mov eax, dword ptr fs:[00000030h] 5_2_01A08B58
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196D294 mov eax, dword ptr fs:[00000030h] 5_2_0196D294
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196D294 mov eax, dword ptr fs:[00000030h] 5_2_0196D294
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A00EA5 mov eax, dword ptr fs:[00000030h] 5_2_01A00EA5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A00EA5 mov eax, dword ptr fs:[00000030h] 5_2_01A00EA5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A00EA5 mov eax, dword ptr fs:[00000030h] 5_2_01A00EA5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019CFE87 mov eax, dword ptr fs:[00000030h] 5_2_019CFE87
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0194AAB0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0194AAB0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196FAB0 mov eax, dword ptr fs:[00000030h] 5_2_0196FAB0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019352A5 mov eax, dword ptr fs:[00000030h] 5_2_019352A5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019352A5 mov eax, dword ptr fs:[00000030h] 5_2_019352A5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019352A5 mov eax, dword ptr fs:[00000030h] 5_2_019352A5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019352A5 mov eax, dword ptr fs:[00000030h] 5_2_019352A5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019352A5 mov eax, dword ptr fs:[00000030h] 5_2_019352A5
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019B46A7 mov eax, dword ptr fs:[00000030h] 5_2_019B46A7
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01978EC7 mov eax, dword ptr fs:[00000030h] 5_2_01978EC7
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019636CC mov eax, dword ptr fs:[00000030h] 5_2_019636CC
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962ACB mov eax, dword ptr fs:[00000030h] 5_2_01962ACB
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019EFEC0 mov eax, dword ptr fs:[00000030h] 5_2_019EFEC0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01962AE4 mov eax, dword ptr fs:[00000030h] 5_2_01962AE4
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019616E0 mov ecx, dword ptr fs:[00000030h] 5_2_019616E0
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A08ED6 mov eax, dword ptr fs:[00000030h] 5_2_01A08ED6
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019476E2 mov eax, dword ptr fs:[00000030h] 5_2_019476E2
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01935210 mov eax, dword ptr fs:[00000030h] 5_2_01935210
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01935210 mov ecx, dword ptr fs:[00000030h] 5_2_01935210
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01935210 mov eax, dword ptr fs:[00000030h] 5_2_01935210
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01935210 mov eax, dword ptr fs:[00000030h] 5_2_01935210
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193AA16 mov eax, dword ptr fs:[00000030h] 5_2_0193AA16
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193AA16 mov eax, dword ptr fs:[00000030h] 5_2_0193AA16
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01953A1C mov eax, dword ptr fs:[00000030h] 5_2_01953A1C
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196A61C mov eax, dword ptr fs:[00000030h] 5_2_0196A61C
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0196A61C mov eax, dword ptr fs:[00000030h] 5_2_0196A61C
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193C600 mov eax, dword ptr fs:[00000030h] 5_2_0193C600
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193C600 mov eax, dword ptr fs:[00000030h] 5_2_0193C600
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193C600 mov eax, dword ptr fs:[00000030h] 5_2_0193C600
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01968E00 mov eax, dword ptr fs:[00000030h] 5_2_01968E00
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019F1608 mov eax, dword ptr fs:[00000030h] 5_2_019F1608
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01948A0A mov eax, dword ptr fs:[00000030h] 5_2_01948A0A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019EFE3F mov eax, dword ptr fs:[00000030h] 5_2_019EFE3F
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0193E620 mov eax, dword ptr fs:[00000030h] 5_2_0193E620
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01974A2C mov eax, dword ptr fs:[00000030h] 5_2_01974A2C
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01974A2C mov eax, dword ptr fs:[00000030h] 5_2_01974A2C
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01A08A62 mov eax, dword ptr fs:[00000030h] 5_2_01A08A62
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FEA55 mov eax, dword ptr fs:[00000030h] 5_2_019FEA55
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019C4257 mov eax, dword ptr fs:[00000030h] 5_2_019C4257
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939240 mov eax, dword ptr fs:[00000030h] 5_2_01939240
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939240 mov eax, dword ptr fs:[00000030h] 5_2_01939240
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939240 mov eax, dword ptr fs:[00000030h] 5_2_01939240
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01939240 mov eax, dword ptr fs:[00000030h] 5_2_01939240
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01947E41 mov eax, dword ptr fs:[00000030h] 5_2_01947E41
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01947E41 mov eax, dword ptr fs:[00000030h] 5_2_01947E41
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01947E41 mov eax, dword ptr fs:[00000030h] 5_2_01947E41
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01947E41 mov eax, dword ptr fs:[00000030h] 5_2_01947E41
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01947E41 mov eax, dword ptr fs:[00000030h] 5_2_01947E41
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_01947E41 mov eax, dword ptr fs:[00000030h] 5_2_01947E41
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FAE44 mov eax, dword ptr fs:[00000030h] 5_2_019FAE44
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019FAE44 mov eax, dword ptr fs:[00000030h] 5_2_019FAE44
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195AE73 mov eax, dword ptr fs:[00000030h] 5_2_0195AE73
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195AE73 mov eax, dword ptr fs:[00000030h] 5_2_0195AE73
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195AE73 mov eax, dword ptr fs:[00000030h] 5_2_0195AE73
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195AE73 mov eax, dword ptr fs:[00000030h] 5_2_0195AE73
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0195AE73 mov eax, dword ptr fs:[00000030h] 5_2_0195AE73
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0197927A mov eax, dword ptr fs:[00000030h] 5_2_0197927A
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_0194766D mov eax, dword ptr fs:[00000030h] 5_2_0194766D
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019EB260 mov eax, dword ptr fs:[00000030h] 5_2_019EB260
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Code function: 5_2_019EB260 mov eax, dword ptr fs:[00000030h] 5_2_019EB260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC8CD6 mov eax, dword ptr fs:[00000030h] 11_2_04CC8CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB14FB mov eax, dword ptr fs:[00000030h] 11_2_04CB14FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76CF0 mov eax, dword ptr fs:[00000030h] 11_2_04C76CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76CF0 mov eax, dword ptr fs:[00000030h] 11_2_04C76CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76CF0 mov eax, dword ptr fs:[00000030h] 11_2_04C76CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0849B mov eax, dword ptr fs:[00000030h] 11_2_04C0849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2A44B mov eax, dword ptr fs:[00000030h] 11_2_04C2A44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8C450 mov eax, dword ptr fs:[00000030h] 11_2_04C8C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8C450 mov eax, dword ptr fs:[00000030h] 11_2_04C8C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1746D mov eax, dword ptr fs:[00000030h] 11_2_04C1746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC740D mov eax, dword ptr fs:[00000030h] 11_2_04CC740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC740D mov eax, dword ptr fs:[00000030h] 11_2_04CC740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC740D mov eax, dword ptr fs:[00000030h] 11_2_04CC740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1C06 mov eax, dword ptr fs:[00000030h] 11_2_04CB1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76C0A mov eax, dword ptr fs:[00000030h] 11_2_04C76C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76C0A mov eax, dword ptr fs:[00000030h] 11_2_04C76C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76C0A mov eax, dword ptr fs:[00000030h] 11_2_04C76C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76C0A mov eax, dword ptr fs:[00000030h] 11_2_04C76C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2BC2C mov eax, dword ptr fs:[00000030h] 11_2_04C2BC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76DC9 mov eax, dword ptr fs:[00000030h] 11_2_04C76DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76DC9 mov eax, dword ptr fs:[00000030h] 11_2_04C76DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76DC9 mov eax, dword ptr fs:[00000030h] 11_2_04C76DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76DC9 mov ecx, dword ptr fs:[00000030h] 11_2_04C76DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76DC9 mov eax, dword ptr fs:[00000030h] 11_2_04C76DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C76DC9 mov eax, dword ptr fs:[00000030h] 11_2_04C76DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0D5E0 mov eax, dword ptr fs:[00000030h] 11_2_04C0D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0D5E0 mov eax, dword ptr fs:[00000030h] 11_2_04C0D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBFDE2 mov eax, dword ptr fs:[00000030h] 11_2_04CBFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBFDE2 mov eax, dword ptr fs:[00000030h] 11_2_04CBFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBFDE2 mov eax, dword ptr fs:[00000030h] 11_2_04CBFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBFDE2 mov eax, dword ptr fs:[00000030h] 11_2_04CBFDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF2D8A mov eax, dword ptr fs:[00000030h] 11_2_04BF2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF2D8A mov eax, dword ptr fs:[00000030h] 11_2_04BF2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF2D8A mov eax, dword ptr fs:[00000030h] 11_2_04BF2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF2D8A mov eax, dword ptr fs:[00000030h] 11_2_04BF2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF2D8A mov eax, dword ptr fs:[00000030h] 11_2_04BF2D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CA8DF1 mov eax, dword ptr fs:[00000030h] 11_2_04CA8DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2FD9B mov eax, dword ptr fs:[00000030h] 11_2_04C2FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2FD9B mov eax, dword ptr fs:[00000030h] 11_2_04C2FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC05AC mov eax, dword ptr fs:[00000030h] 11_2_04CC05AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC05AC mov eax, dword ptr fs:[00000030h] 11_2_04CC05AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C235A1 mov eax, dword ptr fs:[00000030h] 11_2_04C235A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C21DB5 mov eax, dword ptr fs:[00000030h] 11_2_04C21DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C21DB5 mov eax, dword ptr fs:[00000030h] 11_2_04C21DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C21DB5 mov eax, dword ptr fs:[00000030h] 11_2_04C21DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C33D43 mov eax, dword ptr fs:[00000030h] 11_2_04C33D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C73540 mov eax, dword ptr fs:[00000030h] 11_2_04C73540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CA3D40 mov eax, dword ptr fs:[00000030h] 11_2_04CA3D40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFAD30 mov eax, dword ptr fs:[00000030h] 11_2_04BFAD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C17D50 mov eax, dword ptr fs:[00000030h] 11_2_04C17D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1C577 mov eax, dword ptr fs:[00000030h] 11_2_04C1C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1C577 mov eax, dword ptr fs:[00000030h] 11_2_04C1C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C7A537 mov eax, dword ptr fs:[00000030h] 11_2_04C7A537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBE539 mov eax, dword ptr fs:[00000030h] 11_2_04CBE539
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C03D34 mov eax, dword ptr fs:[00000030h] 11_2_04C03D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC8D34 mov eax, dword ptr fs:[00000030h] 11_2_04CC8D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C24D3B mov eax, dword ptr fs:[00000030h] 11_2_04C24D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C24D3B mov eax, dword ptr fs:[00000030h] 11_2_04C24D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C24D3B mov eax, dword ptr fs:[00000030h] 11_2_04C24D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C38EC7 mov eax, dword ptr fs:[00000030h] 11_2_04C38EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CAFEC0 mov eax, dword ptr fs:[00000030h] 11_2_04CAFEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C236CC mov eax, dword ptr fs:[00000030h] 11_2_04C236CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC8ED6 mov eax, dword ptr fs:[00000030h] 11_2_04CC8ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C216E0 mov ecx, dword ptr fs:[00000030h] 11_2_04C216E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C076E2 mov eax, dword ptr fs:[00000030h] 11_2_04C076E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8FE87 mov eax, dword ptr fs:[00000030h] 11_2_04C8FE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C746A7 mov eax, dword ptr fs:[00000030h] 11_2_04C746A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC0EA5 mov eax, dword ptr fs:[00000030h] 11_2_04CC0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC0EA5 mov eax, dword ptr fs:[00000030h] 11_2_04CC0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC0EA5 mov eax, dword ptr fs:[00000030h] 11_2_04CC0EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C07E41 mov eax, dword ptr fs:[00000030h] 11_2_04C07E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C07E41 mov eax, dword ptr fs:[00000030h] 11_2_04C07E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C07E41 mov eax, dword ptr fs:[00000030h] 11_2_04C07E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C07E41 mov eax, dword ptr fs:[00000030h] 11_2_04C07E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C07E41 mov eax, dword ptr fs:[00000030h] 11_2_04C07E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C07E41 mov eax, dword ptr fs:[00000030h] 11_2_04C07E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBAE44 mov eax, dword ptr fs:[00000030h] 11_2_04CBAE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBAE44 mov eax, dword ptr fs:[00000030h] 11_2_04CBAE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFE620 mov eax, dword ptr fs:[00000030h] 11_2_04BFE620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0766D mov eax, dword ptr fs:[00000030h] 11_2_04C0766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1AE73 mov eax, dword ptr fs:[00000030h] 11_2_04C1AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1AE73 mov eax, dword ptr fs:[00000030h] 11_2_04C1AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1AE73 mov eax, dword ptr fs:[00000030h] 11_2_04C1AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1AE73 mov eax, dword ptr fs:[00000030h] 11_2_04C1AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1AE73 mov eax, dword ptr fs:[00000030h] 11_2_04C1AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFC600 mov eax, dword ptr fs:[00000030h] 11_2_04BFC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFC600 mov eax, dword ptr fs:[00000030h] 11_2_04BFC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFC600 mov eax, dword ptr fs:[00000030h] 11_2_04BFC600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C28E00 mov eax, dword ptr fs:[00000030h] 11_2_04C28E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB1608 mov eax, dword ptr fs:[00000030h] 11_2_04CB1608
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2A61C mov eax, dword ptr fs:[00000030h] 11_2_04C2A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2A61C mov eax, dword ptr fs:[00000030h] 11_2_04C2A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CAFE3F mov eax, dword ptr fs:[00000030h] 11_2_04CAFE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C337F5 mov eax, dword ptr fs:[00000030h] 11_2_04C337F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C77794 mov eax, dword ptr fs:[00000030h] 11_2_04C77794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C77794 mov eax, dword ptr fs:[00000030h] 11_2_04C77794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C77794 mov eax, dword ptr fs:[00000030h] 11_2_04C77794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C08794 mov eax, dword ptr fs:[00000030h] 11_2_04C08794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0EF40 mov eax, dword ptr fs:[00000030h] 11_2_04C0EF40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF4F2E mov eax, dword ptr fs:[00000030h] 11_2_04BF4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF4F2E mov eax, dword ptr fs:[00000030h] 11_2_04BF4F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0FF60 mov eax, dword ptr fs:[00000030h] 11_2_04C0FF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC8F6A mov eax, dword ptr fs:[00000030h] 11_2_04CC8F6A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC070D mov eax, dword ptr fs:[00000030h] 11_2_04CC070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC070D mov eax, dword ptr fs:[00000030h] 11_2_04CC070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2A70E mov eax, dword ptr fs:[00000030h] 11_2_04C2A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2A70E mov eax, dword ptr fs:[00000030h] 11_2_04C2A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1F716 mov eax, dword ptr fs:[00000030h] 11_2_04C1F716
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8FF10 mov eax, dword ptr fs:[00000030h] 11_2_04C8FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8FF10 mov eax, dword ptr fs:[00000030h] 11_2_04C8FF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2E730 mov eax, dword ptr fs:[00000030h] 11_2_04C2E730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8B8D0 mov eax, dword ptr fs:[00000030h] 11_2_04C8B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8B8D0 mov ecx, dword ptr fs:[00000030h] 11_2_04C8B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8B8D0 mov eax, dword ptr fs:[00000030h] 11_2_04C8B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8B8D0 mov eax, dword ptr fs:[00000030h] 11_2_04C8B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8B8D0 mov eax, dword ptr fs:[00000030h] 11_2_04C8B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C8B8D0 mov eax, dword ptr fs:[00000030h] 11_2_04C8B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF9080 mov eax, dword ptr fs:[00000030h] 11_2_04BF9080
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C73884 mov eax, dword ptr fs:[00000030h] 11_2_04C73884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C73884 mov eax, dword ptr fs:[00000030h] 11_2_04C73884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF58EC mov eax, dword ptr fs:[00000030h] 11_2_04BF58EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF40E1 mov eax, dword ptr fs:[00000030h] 11_2_04BF40E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF40E1 mov eax, dword ptr fs:[00000030h] 11_2_04BF40E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF40E1 mov eax, dword ptr fs:[00000030h] 11_2_04BF40E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C220A0 mov eax, dword ptr fs:[00000030h] 11_2_04C220A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C220A0 mov eax, dword ptr fs:[00000030h] 11_2_04C220A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C220A0 mov eax, dword ptr fs:[00000030h] 11_2_04C220A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C220A0 mov eax, dword ptr fs:[00000030h] 11_2_04C220A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C220A0 mov eax, dword ptr fs:[00000030h] 11_2_04C220A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C220A0 mov eax, dword ptr fs:[00000030h] 11_2_04C220A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C390AF mov eax, dword ptr fs:[00000030h] 11_2_04C390AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2F0BF mov ecx, dword ptr fs:[00000030h] 11_2_04C2F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2F0BF mov eax, dword ptr fs:[00000030h] 11_2_04C2F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2F0BF mov eax, dword ptr fs:[00000030h] 11_2_04C2F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C10050 mov eax, dword ptr fs:[00000030h] 11_2_04C10050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C10050 mov eax, dword ptr fs:[00000030h] 11_2_04C10050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB2073 mov eax, dword ptr fs:[00000030h] 11_2_04CB2073
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC1074 mov eax, dword ptr fs:[00000030h] 11_2_04CC1074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C77016 mov eax, dword ptr fs:[00000030h] 11_2_04C77016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C77016 mov eax, dword ptr fs:[00000030h] 11_2_04C77016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C77016 mov eax, dword ptr fs:[00000030h] 11_2_04C77016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC4015 mov eax, dword ptr fs:[00000030h] 11_2_04CC4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC4015 mov eax, dword ptr fs:[00000030h] 11_2_04CC4015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0B02A mov eax, dword ptr fs:[00000030h] 11_2_04C0B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0B02A mov eax, dword ptr fs:[00000030h] 11_2_04C0B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0B02A mov eax, dword ptr fs:[00000030h] 11_2_04C0B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0B02A mov eax, dword ptr fs:[00000030h] 11_2_04C0B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2002D mov eax, dword ptr fs:[00000030h] 11_2_04C2002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2002D mov eax, dword ptr fs:[00000030h] 11_2_04C2002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2002D mov eax, dword ptr fs:[00000030h] 11_2_04C2002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2002D mov eax, dword ptr fs:[00000030h] 11_2_04C2002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2002D mov eax, dword ptr fs:[00000030h] 11_2_04C2002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C841E8 mov eax, dword ptr fs:[00000030h] 11_2_04C841E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1C182 mov eax, dword ptr fs:[00000030h] 11_2_04C1C182
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2A185 mov eax, dword ptr fs:[00000030h] 11_2_04C2A185
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C22990 mov eax, dword ptr fs:[00000030h] 11_2_04C22990
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFB1E1 mov eax, dword ptr fs:[00000030h] 11_2_04BFB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFB1E1 mov eax, dword ptr fs:[00000030h] 11_2_04BFB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFB1E1 mov eax, dword ptr fs:[00000030h] 11_2_04BFB1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C769A6 mov eax, dword ptr fs:[00000030h] 11_2_04C769A6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C261A0 mov eax, dword ptr fs:[00000030h] 11_2_04C261A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C261A0 mov eax, dword ptr fs:[00000030h] 11_2_04C261A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB49A4 mov eax, dword ptr fs:[00000030h] 11_2_04CB49A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB49A4 mov eax, dword ptr fs:[00000030h] 11_2_04CB49A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB49A4 mov eax, dword ptr fs:[00000030h] 11_2_04CB49A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CB49A4 mov eax, dword ptr fs:[00000030h] 11_2_04CB49A4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C751BE mov eax, dword ptr fs:[00000030h] 11_2_04C751BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C751BE mov eax, dword ptr fs:[00000030h] 11_2_04C751BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C751BE mov eax, dword ptr fs:[00000030h] 11_2_04C751BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C751BE mov eax, dword ptr fs:[00000030h] 11_2_04C751BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1B944 mov eax, dword ptr fs:[00000030h] 11_2_04C1B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C1B944 mov eax, dword ptr fs:[00000030h] 11_2_04C1B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF9100 mov eax, dword ptr fs:[00000030h] 11_2_04BF9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF9100 mov eax, dword ptr fs:[00000030h] 11_2_04BF9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF9100 mov eax, dword ptr fs:[00000030h] 11_2_04BF9100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFB171 mov eax, dword ptr fs:[00000030h] 11_2_04BFB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFB171 mov eax, dword ptr fs:[00000030h] 11_2_04BFB171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFC962 mov eax, dword ptr fs:[00000030h] 11_2_04BFC962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C14120 mov eax, dword ptr fs:[00000030h] 11_2_04C14120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C14120 mov eax, dword ptr fs:[00000030h] 11_2_04C14120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C14120 mov eax, dword ptr fs:[00000030h] 11_2_04C14120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C14120 mov eax, dword ptr fs:[00000030h] 11_2_04C14120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C14120 mov ecx, dword ptr fs:[00000030h] 11_2_04C14120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2513A mov eax, dword ptr fs:[00000030h] 11_2_04C2513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2513A mov eax, dword ptr fs:[00000030h] 11_2_04C2513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C22ACB mov eax, dword ptr fs:[00000030h] 11_2_04C22ACB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF52A5 mov eax, dword ptr fs:[00000030h] 11_2_04BF52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF52A5 mov eax, dword ptr fs:[00000030h] 11_2_04BF52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF52A5 mov eax, dword ptr fs:[00000030h] 11_2_04BF52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF52A5 mov eax, dword ptr fs:[00000030h] 11_2_04BF52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF52A5 mov eax, dword ptr fs:[00000030h] 11_2_04BF52A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C22AE4 mov eax, dword ptr fs:[00000030h] 11_2_04C22AE4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2D294 mov eax, dword ptr fs:[00000030h] 11_2_04C2D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2D294 mov eax, dword ptr fs:[00000030h] 11_2_04C2D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0AAB0 mov eax, dword ptr fs:[00000030h] 11_2_04C0AAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C0AAB0 mov eax, dword ptr fs:[00000030h] 11_2_04C0AAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C2FAB0 mov eax, dword ptr fs:[00000030h] 11_2_04C2FAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CBEA55 mov eax, dword ptr fs:[00000030h] 11_2_04CBEA55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C84257 mov eax, dword ptr fs:[00000030h] 11_2_04C84257
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFAA16 mov eax, dword ptr fs:[00000030h] 11_2_04BFAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BFAA16 mov eax, dword ptr fs:[00000030h] 11_2_04BFAA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CAB260 mov eax, dword ptr fs:[00000030h] 11_2_04CAB260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CAB260 mov eax, dword ptr fs:[00000030h] 11_2_04CAB260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04CC8A62 mov eax, dword ptr fs:[00000030h] 11_2_04CC8A62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF5210 mov eax, dword ptr fs:[00000030h] 11_2_04BF5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF5210 mov ecx, dword ptr fs:[00000030h] 11_2_04BF5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF5210 mov eax, dword ptr fs:[00000030h] 11_2_04BF5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04BF5210 mov eax, dword ptr fs:[00000030h] 11_2_04BF5210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C3927A mov eax, dword ptr fs:[00000030h] 11_2_04C3927A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C08A0A mov eax, dword ptr fs:[00000030h] 11_2_04C08A0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 11_2_04C13A1C mov eax, dword ptr fs:[00000030h] 11_2_04C13A1C
Enables debug privileges
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 106.13.210.52 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.201.205.155 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.128.38 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 95.130.17.35 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Memory written: C:\Users\user\Desktop\4pFzkB6ePK.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: FB0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Process created: C:\Users\user\Desktop\4pFzkB6ePK.exe C:\Users\user\Desktop\4pFzkB6ePK.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4pFzkB6ePK.exe' Jump to behavior
Source: explorer.exe, 00000006.00000002.471816692.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000000.231260706.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000B.00000002.475075751.0000000003480000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.489439123.0000000006860000.00000004.00000001.sdmp, msiexec.exe, 0000000B.00000002.475075751.0000000003480000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.231260706.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000B.00000002.475075751.0000000003480000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.231260706.0000000001980000.00000002.00000001.sdmp, msiexec.exe, 0000000B.00000002.475075751.0000000003480000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Users\user\Desktop\4pFzkB6ePK.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4pFzkB6ePK.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356512 Sample: 4pFzkB6ePK.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 32 www.trinityhousegoa.com 2->32 34 www.2seamapparel.com 2->34 36 3 other IPs or domains 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 8 other signatures 2->52 11 4pFzkB6ePK.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\4pFzkB6ePK.exe.log, ASCII 11->30 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->62 64 Tries to detect virtualization through RDTSC time measurements 11->64 66 Injects a PE file into a foreign processes 11->66 15 4pFzkB6ePK.exe 11->15         started        signatures6 process7 signatures8 68 Modifies the context of a thread in another process (thread injection) 15->68 70 Maps a DLL or memory area into another process 15->70 72 Sample uses process hollowing technique 15->72 74 Queues an APC in another process (thread injection) 15->74 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.ntljcb.com 154.201.205.155, 49738, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 18->38 40 www.nachbau.net 95.130.17.35, 49725, 80 INETWIRE-ASWilhelm-Wagenfeld-Str16DE Germany 18->40 42 6 other IPs or domains 18->42 54 System process connects to network (likely due to code injection or exploit) 18->54 22 msiexec.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.fsqlgt.com 22->44 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.201.205.155
 unknown Seychelles
132839 POWERLINE-AS-APPOWERLINEDATACENTERHK true
160.153.128.38
 unknown United States
21501 GODADDY-AMSDE true
184.168.131.241
 unknown United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
95.130.17.35
 unknown Germany
13246 INETWIRE-ASWilhelm-Wagenfeld-Str16DE true
106.13.210.52
 unknown China
38365 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd true

Contacted Domains

Name IP Active
www.fsqlgt.com 106.13.210.52 true
www.ntljcb.com 154.201.205.155 true
www.nachbau.net 95.130.17.35 true
trinityhousegoa.com 194.59.164.91 true
aslanforklift.com 160.153.128.38 true
shops.myshopify.com 23.227.38.74 true
carbon-foam.com 184.168.131.241 true
www.electricbiketechnologes.com unknown unknown
www.carbon-foam.com unknown unknown
www.trinityhousegoa.com unknown unknown
www.2seamapparel.com unknown unknown
www.aslanforklift.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.nachbau.net/tub0/?0T0hlT=cydGkSUU+hbxwnLMCHdxs2HTbhyeOBhf6VDIiN7OyAb+9b2I/6QPcL+NYbrcHhStME+j&OVlT0R=o2JlVT4hT8qhr8ep true
  • Avira URL Cloud: safe
 unknown
www.ntljcb.com/tub0/ true
  • Avira URL Cloud: safe
 low
http://www.carbon-foam.com/tub0/?0T0hlT=0g3BJlW7sTphQ/5j4Tdr5dYYoDFSx+aDomq4rDoP20bT0mosHTIKHGclLGRJ8AP1BBBd&OVlT0R=o2JlVT4hT8qhr8ep true
  • Avira URL Cloud: safe
 unknown
http://www.aslanforklift.com/tub0/?0T0hlT=Oc9Sv6ZsHiz1lEkHjT4sUkzXc6kK6TfJoTMn/p3mX09SqIZJtOPjrYy4Z3tQQ5aTicNK&OVlT0R=o2JlVT4hT8qhr8ep true
  • Avira URL Cloud: safe
 unknown
http://www.ntljcb.com/tub0/?0T0hlT=dN2zk3vDrvOSMWpoBKxdiHLfh4G+CBzvqQ9gZV3x5lRoIc3e6NmSOgfKn1bO4v69I6lv&OVlT0R=o2JlVT4hT8qhr8ep true
  • Avira URL Cloud: safe
 unknown