Analysis Report 0O9BJfVJi6fEMoS.exe

Overview

General Information

Sample Name: 0O9BJfVJi6fEMoS.exe
Analysis ID: 356555
MD5: 18ec78e09155c046a203fb4dcbc3593f
SHA1: 40e67eef7c001a8752763616fc9a58170721c27a
SHA256: 01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
Tags: exeFormbookYahoo

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: www.besteprobioticakopen.online/uszn/ Avira URL Cloud: Label: malware
Source: http://www.besteprobioticakopen.online/uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX Avira URL Cloud: Label: malware
Found malware configuration
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack Malware Configuration Extractor: FormBook {"C2 list": ["www.besteprobioticakopen.online/uszn/"], "decoy": ["animegriptape.com", "pcpnetworks.com", "putupmybabyforadoption.com", "xn--jvrr98g37n88d.com", "fertinvitro.doctor", "undonethread.com", "avoleague.com", "sissysundays.com", "guilhermeoliveiro.site", "catholicon-bespeckle.info", "mardesuenosfundacion.com", "songkhoe24.site", "shoecityindia.com", "smallbathroomdecor.info", "tskusa.com", "prairiespringsllc.com", "kegncoffee.com", "clicklounge.xyz", "catholicendoflifeplanning.com", "steelobzee.com", "xiknekiterapia.com", "whereinthezooareyou.com", "maglex.info", "dango3.net", "sqjqw4.com", "theparadisogroup.com", "karthikeyainfraindia.com", "luewevedre.com", "helpwithmynutrition.com", "lengyue.cool", "pbipropertiesllc.com", "glidedisc.com", "sz-rhwjkj.com", "776fx.com", "kamanantzin.com", "grandwhale.com", "trump2020shop.net", "gentilelibri.com", "jarliciouslounge.com", "dgcsales.net", "hypno.doctor", "holidayinnindyairportnorth.com", "buysellleasewithlisa.com", "girishastore.com", "tinynucleargenerators.com", "crystalphoenixltd.com", "lapplify.com", "bailbondinazusa.com", "michaelmery.com", "tripleecoaching.com", "fastenerspelosato.net", "horisan-touki.com", "marketingavacado.com", "centrebiozeina.com", "xn--3etz63bc5ck9c.com", "rhemachurch4u.com", "homeschoolangel.com", "romeysworld.com", "themixedveggies.com", "queendreea.club", "epedalflorida.com", "blutreemg.com", "nongfupingtai.com", "shikshs.com"]}
Multi AV Scanner detection for submitted file
Source: 0O9BJfVJi6fEMoS.exe ReversingLabs: Detection: 21%
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 0O9BJfVJi6fEMoS.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: 0O9BJfVJi6fEMoS.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: explorer.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 0O9BJfVJi6fEMoS.exe, explorer.exe
Source: Binary string: explorer.pdb source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 4x nop then pop edi 6_2_0040C3CB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4x nop then pop edi 11_2_0097C3CB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.besteprobioticakopen.online/uszn/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX HTTP/1.1Host: www.fastenerspelosato.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX HTTP/1.1Host: www.sissysundays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX HTTP/1.1Host: www.whereinthezooareyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX HTTP/1.1Host: www.fertinvitro.doctorConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX HTTP/1.1Host: www.dgcsales.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX HTTP/1.1Host: www.horisan-touki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX HTTP/1.1Host: www.karthikeyainfraindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX HTTP/1.1Host: www.buysellleasewithlisa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX HTTP/1.1Host: www.besteprobioticakopen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 35.246.6.109 35.246.6.109
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NETMAGIC-APNetmagicDatacenterMumbaiIN NETMAGIC-APNetmagicDatacenterMumbaiIN
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: global traffic HTTP traffic detected: GET /uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX HTTP/1.1Host: www.fastenerspelosato.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX HTTP/1.1Host: www.sissysundays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX HTTP/1.1Host: www.whereinthezooareyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX HTTP/1.1Host: www.fertinvitro.doctorConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX HTTP/1.1Host: www.dgcsales.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX HTTP/1.1Host: www.horisan-touki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX HTTP/1.1Host: www.karthikeyainfraindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX HTTP/1.1Host: www.buysellleasewithlisa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX HTTP/1.1Host: www.besteprobioticakopen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.fastenerspelosato.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Tue, 23 Feb 2021 09:08:03 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://code.google.com/p/topicalmemorysystem/
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
Source: explorer.exe, 00000007.00000002.913073739.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://www.biblegateway.com/passage/?search=
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://www.biblija.net/biblija.cgi?m=
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://www.esvstudybible.org/search?q=
Source: 0O9BJfVJi6fEMoS.exe String found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmp String found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=com
Source: explorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmp String found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=com

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_004181B0 NtCreateFile, 6_2_004181B0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00418260 NtReadFile, 6_2_00418260
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_004182E0 NtClose, 6_2_004182E0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00418390 NtAllocateVirtualMemory, 6_2_00418390
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_004181AC NtCreateFile, 6_2_004181AC
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00418262 NtReadFile, 6_2_00418262
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_004182DA NtClose, 6_2_004182DA
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_01679910
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016799A0 NtCreateSection,LdrInitializeThunk, 6_2_016799A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_01679860
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679840 NtDelayExecution,LdrInitializeThunk, 6_2_01679840
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016798F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_016798F0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679A50 NtCreateFile,LdrInitializeThunk, 6_2_01679A50
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679A20 NtResumeThread,LdrInitializeThunk, 6_2_01679A20
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_01679A00
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679540 NtReadFile,LdrInitializeThunk, 6_2_01679540
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016795D0 NtClose,LdrInitializeThunk, 6_2_016795D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679710 NtQueryInformationToken,LdrInitializeThunk, 6_2_01679710
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679FE0 NtCreateMutant,LdrInitializeThunk, 6_2_01679FE0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016797A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_016797A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679780 NtMapViewOfSection,LdrInitializeThunk, 6_2_01679780
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_01679660
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016796E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_016796E0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679950 NtQueueApcThread, 6_2_01679950
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016799D0 NtCreateProcessEx, 6_2_016799D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0167B040 NtSuspendThread, 6_2_0167B040
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679820 NtEnumerateKey, 6_2_01679820
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016798A0 NtWriteVirtualMemory, 6_2_016798A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679B00 NtSetValueKey, 6_2_01679B00
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0167A3B0 NtGetContextThread, 6_2_0167A3B0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679A10 NtQuerySection, 6_2_01679A10
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679A80 NtOpenDirectoryObject, 6_2_01679A80
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679560 NtWriteFile, 6_2_01679560
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679520 NtWaitForSingleObject, 6_2_01679520
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0167AD30 NtSetContextThread, 6_2_0167AD30
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016795F0 NtQueryInformationFile, 6_2_016795F0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679760 NtOpenProcess, 6_2_01679760
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0167A770 NtOpenThread, 6_2_0167A770
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679770 NtSetInformationFile, 6_2_01679770
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679730 NtQueryVirtualMemory, 6_2_01679730
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0167A710 NtOpenProcessToken, 6_2_0167A710
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679670 NtQueryInformationProcess, 6_2_01679670
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679650 NtQueryValueKey, 6_2_01679650
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01679610 NtEnumerateValueKey, 6_2_01679610
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016796D0 NtCreateKey, 6_2_016796D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_05079910
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079540 NtReadFile,LdrInitializeThunk, 11_2_05079540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050799A0 NtCreateSection,LdrInitializeThunk, 11_2_050799A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050795D0 NtClose,LdrInitializeThunk, 11_2_050795D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079840 NtDelayExecution,LdrInitializeThunk, 11_2_05079840
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_05079860
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079710 NtQueryInformationToken,LdrInitializeThunk, 11_2_05079710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079780 NtMapViewOfSection,LdrInitializeThunk, 11_2_05079780
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079FE0 NtCreateMutant,LdrInitializeThunk, 11_2_05079FE0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079A50 NtCreateFile,LdrInitializeThunk, 11_2_05079A50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079650 NtQueryValueKey,LdrInitializeThunk, 11_2_05079650
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_05079660
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050796D0 NtCreateKey,LdrInitializeThunk, 11_2_050796D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050796E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_050796E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079520 NtWaitForSingleObject, 11_2_05079520
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0507AD30 NtSetContextThread, 11_2_0507AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079950 NtQueueApcThread, 11_2_05079950
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079560 NtWriteFile, 11_2_05079560
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050799D0 NtCreateProcessEx, 11_2_050799D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050795F0 NtQueryInformationFile, 11_2_050795F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079820 NtEnumerateKey, 11_2_05079820
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0507B040 NtSuspendThread, 11_2_0507B040
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050798A0 NtWriteVirtualMemory, 11_2_050798A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050798F0 NtReadVirtualMemory, 11_2_050798F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079B00 NtSetValueKey, 11_2_05079B00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0507A710 NtOpenProcessToken, 11_2_0507A710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079730 NtQueryVirtualMemory, 11_2_05079730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079760 NtOpenProcess, 11_2_05079760
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079770 NtSetInformationFile, 11_2_05079770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0507A770 NtOpenThread, 11_2_0507A770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050797A0 NtUnmapViewOfSection, 11_2_050797A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0507A3B0 NtGetContextThread, 11_2_0507A3B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079A00 NtProtectVirtualMemory, 11_2_05079A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079610 NtEnumerateValueKey, 11_2_05079610
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079A10 NtQuerySection, 11_2_05079A10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079A20 NtResumeThread, 11_2_05079A20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079670 NtQueryInformationProcess, 11_2_05079670
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05079A80 NtOpenDirectoryObject, 11_2_05079A80
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_009881B0 NtCreateFile, 11_2_009881B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_009882E0 NtClose, 11_2_009882E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00988260 NtReadFile, 11_2_00988260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00988390 NtAllocateVirtualMemory, 11_2_00988390
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_009881AC NtCreateFile, 11_2_009881AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_009882DA NtClose, 11_2_009882DA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00988262 NtReadFile, 11_2_00988262
Detected potential crypto function
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 0_2_0103D20C 0_2_0103D20C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 0_2_0103F2C0 0_2_0103F2C0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 0_2_0103F2D0 0_2_0103F2D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00401029 6_2_00401029
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00408C4B 6_2_00408C4B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00408C50 6_2_00408C50
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041B536 6_2_0041B536
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041C5B7 6_2_0041C5B7
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041B7D2 6_2_0041B7D2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01654120 6_2_01654120
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163F900 6_2_0163F900
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1002 6_2_016F1002
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_017028EC 6_2_017028EC
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016620A0 6_2_016620A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_017020A8 6_2_017020A8
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164B090 6_2_0164B090
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01702B28 6_2_01702B28
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FDBD2 6_2_016FDBD2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166EBB0 6_2_0166EBB0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_017022AE 6_2_017022AE
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01701D55 6_2_01701D55
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01630D20 6_2_01630D20
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01702D07 6_2_01702D07
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164D5E0 6_2_0164D5E0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_017025DD 6_2_017025DD
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662581 6_2_01662581
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FD466 6_2_016FD466
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164841F 6_2_0164841F
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01701FF1 6_2_01701FF1
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01656E30 6_2_01656E30
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FD616 6_2_016FD616
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01702EF7 6_2_01702EF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503F900 11_2_0503F900
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05102D07 11_2_05102D07
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05030D20 11_2_05030D20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05054120 11_2_05054120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05101D55 11_2_05101D55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05062581 11_2_05062581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_051025DD 11_2_051025DD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504D5E0 11_2_0504D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1002 11_2_050F1002
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504841F 11_2_0504841F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504B090 11_2_0504B090
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050620A0 11_2_050620A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_051020A8 11_2_051020A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_051028EC 11_2_051028EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05102B28 11_2_05102B28
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506EBB0 11_2_0506EBB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FDBD2 11_2_050FDBD2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05101FF1 11_2_05101FF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05056E30 11_2_05056E30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_051022AE 11_2_051022AE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05102EF7 11_2_05102EF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00978C50 11_2_00978C50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00978C4B 11_2_00978C4B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00972D90 11_2_00972D90
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098C5B7 11_2_0098C5B7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098B536 11_2_0098B536
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00972FB0 11_2_00972FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 0503B150 appears 35 times
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: String function: 0163B150 appears 35 times
Sample file is different than original file name gathered from version info
Source: 0O9BJfVJi6fEMoS.exe Binary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.686761788.00000000006E2000.00000002.00020000.sdmp Binary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.695770371.0000000008A00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe Binary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe, 00000005.00000000.684507893.0000000000312000.00000002.00020000.sdmp Binary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe Binary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.730975183.0000000000AA2000.00000002.00020000.sdmp Binary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732802577.000000000172F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000003.730245049.00000000039AE000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs 0O9BJfVJi6fEMoS.exe
Source: 0O9BJfVJi6fEMoS.exe Binary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
Uses 32bit PE files
Source: 0O9BJfVJi6fEMoS.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.696031440.0000000008C80000.00000004.00000001.sdmp Binary or memory string: ^.vBpq
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/1@12/9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0O9BJfVJi6fEMoS.exe.log Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Mutant created: \Sessions\1\BaseNamedObjects\TwFbGi
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
Source: 0O9BJfVJi6fEMoS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 0O9BJfVJi6fEMoS.exe ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
Source: unknown Process created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}
Source: unknown Process created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}
Source: unknown Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe' Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 0O9BJfVJi6fEMoS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 0O9BJfVJi6fEMoS.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: explorer.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 0O9BJfVJi6fEMoS.exe, explorer.exe
Source: Binary string: explorer.pdb source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 0_2_051E1598 push eax; mov dword ptr [esp], ecx 0_2_051E159C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0040BAA8 push ebp; iretd 6_2_0040BAAA
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041B3F2 push eax; ret 6_2_0041B3F8
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041B3FB push eax; ret 6_2_0041B462
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041C399 push edi; ret 6_2_0041C39B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041B3A5 push eax; ret 6_2_0041B3F8
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041B45C push eax; ret 6_2_0041B462
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00415554 push cs; iretd 6_2_00415555
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0041CE23 push esp; ret 6_2_0041CF5C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00413755 push eax; retf 6_2_00413757
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0168D0D1 push ecx; ret 6_2_0168D0E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0508D0D1 push ecx; ret 11_2_0508D0E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0097BAA8 push ebp; iretd 11_2_0097BAAA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098C399 push edi; ret 11_2_0098C39B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098B3A5 push eax; ret 11_2_0098B3F8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098B3FB push eax; ret 11_2_0098B462
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098B3F2 push eax; ret 11_2_0098B3F8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098B45C push eax; ret 11_2_0098B462
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00985554 push cs; iretd 11_2_00985555
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0098CE23 push esp; ret 11_2_0098CF5C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_00983755 push eax; retf 11_2_00983757
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 00000000009785E4 second address: 00000000009785EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 000000000097896E second address: 0000000000978974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_004088A0 rdtsc 6_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe TID: 7056 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5856 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6188 Thread sleep time: -40000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000007.00000000.710461036.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.705821818.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.710461036.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.717818953.000000000FC96000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000007.00000002.920387906.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000000.711037304.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000007.00000000.711186736.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_004088A0 rdtsc 6_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_00409B10 LdrLoadDll, 6_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163C962 mov eax, dword ptr fs:[00000030h] 6_2_0163C962
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163B171 mov eax, dword ptr fs:[00000030h] 6_2_0163B171
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163B171 mov eax, dword ptr fs:[00000030h] 6_2_0163B171
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165B944 mov eax, dword ptr fs:[00000030h] 6_2_0165B944
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165B944 mov eax, dword ptr fs:[00000030h] 6_2_0165B944
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01654120 mov eax, dword ptr fs:[00000030h] 6_2_01654120
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01654120 mov eax, dword ptr fs:[00000030h] 6_2_01654120
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01654120 mov eax, dword ptr fs:[00000030h] 6_2_01654120
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01654120 mov eax, dword ptr fs:[00000030h] 6_2_01654120
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01654120 mov ecx, dword ptr fs:[00000030h] 6_2_01654120
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166513A mov eax, dword ptr fs:[00000030h] 6_2_0166513A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166513A mov eax, dword ptr fs:[00000030h] 6_2_0166513A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639100 mov eax, dword ptr fs:[00000030h] 6_2_01639100
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639100 mov eax, dword ptr fs:[00000030h] 6_2_01639100
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639100 mov eax, dword ptr fs:[00000030h] 6_2_01639100
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0163B1E1
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0163B1E1
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0163B1E1
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016C41E8 mov eax, dword ptr fs:[00000030h] 6_2_016C41E8
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016661A0 mov eax, dword ptr fs:[00000030h] 6_2_016661A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016661A0 mov eax, dword ptr fs:[00000030h] 6_2_016661A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B69A6 mov eax, dword ptr fs:[00000030h] 6_2_016B69A6
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h] 6_2_016B51BE
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h] 6_2_016B51BE
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h] 6_2_016B51BE
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B51BE mov eax, dword ptr fs:[00000030h] 6_2_016B51BE
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166A185 mov eax, dword ptr fs:[00000030h] 6_2_0166A185
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165C182 mov eax, dword ptr fs:[00000030h] 6_2_0165C182
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662990 mov eax, dword ptr fs:[00000030h] 6_2_01662990
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01701074 mov eax, dword ptr fs:[00000030h] 6_2_01701074
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F2073 mov eax, dword ptr fs:[00000030h] 6_2_016F2073
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01650050 mov eax, dword ptr fs:[00000030h] 6_2_01650050
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01650050 mov eax, dword ptr fs:[00000030h] 6_2_01650050
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166002D mov eax, dword ptr fs:[00000030h] 6_2_0166002D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166002D mov eax, dword ptr fs:[00000030h] 6_2_0166002D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166002D mov eax, dword ptr fs:[00000030h] 6_2_0166002D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166002D mov eax, dword ptr fs:[00000030h] 6_2_0166002D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166002D mov eax, dword ptr fs:[00000030h] 6_2_0166002D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h] 6_2_0164B02A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h] 6_2_0164B02A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h] 6_2_0164B02A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164B02A mov eax, dword ptr fs:[00000030h] 6_2_0164B02A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01704015 mov eax, dword ptr fs:[00000030h] 6_2_01704015
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01704015 mov eax, dword ptr fs:[00000030h] 6_2_01704015
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B7016 mov eax, dword ptr fs:[00000030h] 6_2_016B7016
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B7016 mov eax, dword ptr fs:[00000030h] 6_2_016B7016
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B7016 mov eax, dword ptr fs:[00000030h] 6_2_016B7016
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016358EC mov eax, dword ptr fs:[00000030h] 6_2_016358EC
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h] 6_2_016CB8D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CB8D0 mov ecx, dword ptr fs:[00000030h] 6_2_016CB8D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h] 6_2_016CB8D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h] 6_2_016CB8D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h] 6_2_016CB8D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CB8D0 mov eax, dword ptr fs:[00000030h] 6_2_016CB8D0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h] 6_2_016620A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h] 6_2_016620A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h] 6_2_016620A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h] 6_2_016620A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h] 6_2_016620A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016620A0 mov eax, dword ptr fs:[00000030h] 6_2_016620A0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016790AF mov eax, dword ptr fs:[00000030h] 6_2_016790AF
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166F0BF mov ecx, dword ptr fs:[00000030h] 6_2_0166F0BF
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166F0BF mov eax, dword ptr fs:[00000030h] 6_2_0166F0BF
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166F0BF mov eax, dword ptr fs:[00000030h] 6_2_0166F0BF
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639080 mov eax, dword ptr fs:[00000030h] 6_2_01639080
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B3884 mov eax, dword ptr fs:[00000030h] 6_2_016B3884
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B3884 mov eax, dword ptr fs:[00000030h] 6_2_016B3884
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163DB60 mov ecx, dword ptr fs:[00000030h] 6_2_0163DB60
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01663B7A mov eax, dword ptr fs:[00000030h] 6_2_01663B7A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01663B7A mov eax, dword ptr fs:[00000030h] 6_2_01663B7A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163DB40 mov eax, dword ptr fs:[00000030h] 6_2_0163DB40
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01708B58 mov eax, dword ptr fs:[00000030h] 6_2_01708B58
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163F358 mov eax, dword ptr fs:[00000030h] 6_2_0163F358
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F131B mov eax, dword ptr fs:[00000030h] 6_2_016F131B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h] 6_2_016603E2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h] 6_2_016603E2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h] 6_2_016603E2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h] 6_2_016603E2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h] 6_2_016603E2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016603E2 mov eax, dword ptr fs:[00000030h] 6_2_016603E2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165DBE9 mov eax, dword ptr fs:[00000030h] 6_2_0165DBE9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B53CA mov eax, dword ptr fs:[00000030h] 6_2_016B53CA
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B53CA mov eax, dword ptr fs:[00000030h] 6_2_016B53CA
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01664BAD mov eax, dword ptr fs:[00000030h] 6_2_01664BAD
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01664BAD mov eax, dword ptr fs:[00000030h] 6_2_01664BAD
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01664BAD mov eax, dword ptr fs:[00000030h] 6_2_01664BAD
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01705BA5 mov eax, dword ptr fs:[00000030h] 6_2_01705BA5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F138A mov eax, dword ptr fs:[00000030h] 6_2_016F138A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01641B8F mov eax, dword ptr fs:[00000030h] 6_2_01641B8F
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01641B8F mov eax, dword ptr fs:[00000030h] 6_2_01641B8F
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016ED380 mov ecx, dword ptr fs:[00000030h] 6_2_016ED380
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662397 mov eax, dword ptr fs:[00000030h] 6_2_01662397
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166B390 mov eax, dword ptr fs:[00000030h] 6_2_0166B390
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016EB260 mov eax, dword ptr fs:[00000030h] 6_2_016EB260
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016EB260 mov eax, dword ptr fs:[00000030h] 6_2_016EB260
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01708A62 mov eax, dword ptr fs:[00000030h] 6_2_01708A62
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0167927A mov eax, dword ptr fs:[00000030h] 6_2_0167927A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639240 mov eax, dword ptr fs:[00000030h] 6_2_01639240
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639240 mov eax, dword ptr fs:[00000030h] 6_2_01639240
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639240 mov eax, dword ptr fs:[00000030h] 6_2_01639240
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01639240 mov eax, dword ptr fs:[00000030h] 6_2_01639240
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FEA55 mov eax, dword ptr fs:[00000030h] 6_2_016FEA55
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016C4257 mov eax, dword ptr fs:[00000030h] 6_2_016C4257
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01674A2C mov eax, dword ptr fs:[00000030h] 6_2_01674A2C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01674A2C mov eax, dword ptr fs:[00000030h] 6_2_01674A2C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01648A0A mov eax, dword ptr fs:[00000030h] 6_2_01648A0A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01635210 mov eax, dword ptr fs:[00000030h] 6_2_01635210
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01635210 mov ecx, dword ptr fs:[00000030h] 6_2_01635210
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01635210 mov eax, dword ptr fs:[00000030h] 6_2_01635210
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01635210 mov eax, dword ptr fs:[00000030h] 6_2_01635210
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163AA16 mov eax, dword ptr fs:[00000030h] 6_2_0163AA16
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163AA16 mov eax, dword ptr fs:[00000030h] 6_2_0163AA16
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01653A1C mov eax, dword ptr fs:[00000030h] 6_2_01653A1C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FAA16 mov eax, dword ptr fs:[00000030h] 6_2_016FAA16
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FAA16 mov eax, dword ptr fs:[00000030h] 6_2_016FAA16
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662AE4 mov eax, dword ptr fs:[00000030h] 6_2_01662AE4
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662ACB mov eax, dword ptr fs:[00000030h] 6_2_01662ACB
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h] 6_2_016352A5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h] 6_2_016352A5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h] 6_2_016352A5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h] 6_2_016352A5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016352A5 mov eax, dword ptr fs:[00000030h] 6_2_016352A5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0164AAB0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0164AAB0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166FAB0 mov eax, dword ptr fs:[00000030h] 6_2_0166FAB0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166D294 mov eax, dword ptr fs:[00000030h] 6_2_0166D294
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166D294 mov eax, dword ptr fs:[00000030h] 6_2_0166D294
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165C577 mov eax, dword ptr fs:[00000030h] 6_2_0165C577
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165C577 mov eax, dword ptr fs:[00000030h] 6_2_0165C577
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01673D43 mov eax, dword ptr fs:[00000030h] 6_2_01673D43
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B3540 mov eax, dword ptr fs:[00000030h] 6_2_016B3540
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01657D50 mov eax, dword ptr fs:[00000030h] 6_2_01657D50
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01708D34 mov eax, dword ptr fs:[00000030h] 6_2_01708D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01643D34 mov eax, dword ptr fs:[00000030h] 6_2_01643D34
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163AD30 mov eax, dword ptr fs:[00000030h] 6_2_0163AD30
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FE539 mov eax, dword ptr fs:[00000030h] 6_2_016FE539
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016BA537 mov eax, dword ptr fs:[00000030h] 6_2_016BA537
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01664D3B mov eax, dword ptr fs:[00000030h] 6_2_01664D3B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01664D3B mov eax, dword ptr fs:[00000030h] 6_2_01664D3B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01664D3B mov eax, dword ptr fs:[00000030h] 6_2_01664D3B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0164D5E0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0164D5E0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h] 6_2_016FFDE2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h] 6_2_016FFDE2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h] 6_2_016FFDE2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FFDE2 mov eax, dword ptr fs:[00000030h] 6_2_016FFDE2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016E8DF1 mov eax, dword ptr fs:[00000030h] 6_2_016E8DF1
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h] 6_2_016B6DC9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h] 6_2_016B6DC9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h] 6_2_016B6DC9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6DC9 mov ecx, dword ptr fs:[00000030h] 6_2_016B6DC9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h] 6_2_016B6DC9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6DC9 mov eax, dword ptr fs:[00000030h] 6_2_016B6DC9
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016635A1 mov eax, dword ptr fs:[00000030h] 6_2_016635A1
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01661DB5 mov eax, dword ptr fs:[00000030h] 6_2_01661DB5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01661DB5 mov eax, dword ptr fs:[00000030h] 6_2_01661DB5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01661DB5 mov eax, dword ptr fs:[00000030h] 6_2_01661DB5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_017005AC mov eax, dword ptr fs:[00000030h] 6_2_017005AC
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_017005AC mov eax, dword ptr fs:[00000030h] 6_2_017005AC
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662581 mov eax, dword ptr fs:[00000030h] 6_2_01662581
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662581 mov eax, dword ptr fs:[00000030h] 6_2_01662581
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662581 mov eax, dword ptr fs:[00000030h] 6_2_01662581
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01662581 mov eax, dword ptr fs:[00000030h] 6_2_01662581
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h] 6_2_01632D8A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h] 6_2_01632D8A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h] 6_2_01632D8A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h] 6_2_01632D8A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01632D8A mov eax, dword ptr fs:[00000030h] 6_2_01632D8A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166FD9B mov eax, dword ptr fs:[00000030h] 6_2_0166FD9B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166FD9B mov eax, dword ptr fs:[00000030h] 6_2_0166FD9B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165746D mov eax, dword ptr fs:[00000030h] 6_2_0165746D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166A44B mov eax, dword ptr fs:[00000030h] 6_2_0166A44B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CC450 mov eax, dword ptr fs:[00000030h] 6_2_016CC450
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CC450 mov eax, dword ptr fs:[00000030h] 6_2_016CC450
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166BC2C mov eax, dword ptr fs:[00000030h] 6_2_0166BC2C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h] 6_2_016B6C0A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h] 6_2_016B6C0A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h] 6_2_016B6C0A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6C0A mov eax, dword ptr fs:[00000030h] 6_2_016B6C0A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1C06 mov eax, dword ptr fs:[00000030h] 6_2_016F1C06
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0170740D mov eax, dword ptr fs:[00000030h] 6_2_0170740D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0170740D mov eax, dword ptr fs:[00000030h] 6_2_0170740D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0170740D mov eax, dword ptr fs:[00000030h] 6_2_0170740D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F14FB mov eax, dword ptr fs:[00000030h] 6_2_016F14FB
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6CF0 mov eax, dword ptr fs:[00000030h] 6_2_016B6CF0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6CF0 mov eax, dword ptr fs:[00000030h] 6_2_016B6CF0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B6CF0 mov eax, dword ptr fs:[00000030h] 6_2_016B6CF0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01708CD6 mov eax, dword ptr fs:[00000030h] 6_2_01708CD6
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164849B mov eax, dword ptr fs:[00000030h] 6_2_0164849B
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164FF60 mov eax, dword ptr fs:[00000030h] 6_2_0164FF60
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01708F6A mov eax, dword ptr fs:[00000030h] 6_2_01708F6A
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164EF40 mov eax, dword ptr fs:[00000030h] 6_2_0164EF40
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01634F2E mov eax, dword ptr fs:[00000030h] 6_2_01634F2E
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01634F2E mov eax, dword ptr fs:[00000030h] 6_2_01634F2E
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166E730 mov eax, dword ptr fs:[00000030h] 6_2_0166E730
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166A70E mov eax, dword ptr fs:[00000030h] 6_2_0166A70E
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166A70E mov eax, dword ptr fs:[00000030h] 6_2_0166A70E
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165F716 mov eax, dword ptr fs:[00000030h] 6_2_0165F716
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CFF10 mov eax, dword ptr fs:[00000030h] 6_2_016CFF10
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CFF10 mov eax, dword ptr fs:[00000030h] 6_2_016CFF10
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0170070D mov eax, dword ptr fs:[00000030h] 6_2_0170070D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0170070D mov eax, dword ptr fs:[00000030h] 6_2_0170070D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016737F5 mov eax, dword ptr fs:[00000030h] 6_2_016737F5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01648794 mov eax, dword ptr fs:[00000030h] 6_2_01648794
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B7794 mov eax, dword ptr fs:[00000030h] 6_2_016B7794
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B7794 mov eax, dword ptr fs:[00000030h] 6_2_016B7794
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B7794 mov eax, dword ptr fs:[00000030h] 6_2_016B7794
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0164766D mov eax, dword ptr fs:[00000030h] 6_2_0164766D
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h] 6_2_0165AE73
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h] 6_2_0165AE73
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h] 6_2_0165AE73
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h] 6_2_0165AE73
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0165AE73 mov eax, dword ptr fs:[00000030h] 6_2_0165AE73
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h] 6_2_01647E41
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h] 6_2_01647E41
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h] 6_2_01647E41
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h] 6_2_01647E41
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h] 6_2_01647E41
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01647E41 mov eax, dword ptr fs:[00000030h] 6_2_01647E41
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FAE44 mov eax, dword ptr fs:[00000030h] 6_2_016FAE44
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016FAE44 mov eax, dword ptr fs:[00000030h] 6_2_016FAE44
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163E620 mov eax, dword ptr fs:[00000030h] 6_2_0163E620
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016EFE3F mov eax, dword ptr fs:[00000030h] 6_2_016EFE3F
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163C600 mov eax, dword ptr fs:[00000030h] 6_2_0163C600
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163C600 mov eax, dword ptr fs:[00000030h] 6_2_0163C600
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0163C600 mov eax, dword ptr fs:[00000030h] 6_2_0163C600
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01668E00 mov eax, dword ptr fs:[00000030h] 6_2_01668E00
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016F1608 mov eax, dword ptr fs:[00000030h] 6_2_016F1608
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166A61C mov eax, dword ptr fs:[00000030h] 6_2_0166A61C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_0166A61C mov eax, dword ptr fs:[00000030h] 6_2_0166A61C
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016616E0 mov ecx, dword ptr fs:[00000030h] 6_2_016616E0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016476E2 mov eax, dword ptr fs:[00000030h] 6_2_016476E2
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01678EC7 mov eax, dword ptr fs:[00000030h] 6_2_01678EC7
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01708ED6 mov eax, dword ptr fs:[00000030h] 6_2_01708ED6
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016636CC mov eax, dword ptr fs:[00000030h] 6_2_016636CC
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016EFEC0 mov eax, dword ptr fs:[00000030h] 6_2_016EFEC0
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016B46A7 mov eax, dword ptr fs:[00000030h] 6_2_016B46A7
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01700EA5 mov eax, dword ptr fs:[00000030h] 6_2_01700EA5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01700EA5 mov eax, dword ptr fs:[00000030h] 6_2_01700EA5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_01700EA5 mov eax, dword ptr fs:[00000030h] 6_2_01700EA5
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Code function: 6_2_016CFE87 mov eax, dword ptr fs:[00000030h] 6_2_016CFE87
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039100 mov eax, dword ptr fs:[00000030h] 11_2_05039100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039100 mov eax, dword ptr fs:[00000030h] 11_2_05039100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039100 mov eax, dword ptr fs:[00000030h] 11_2_05039100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05108D34 mov eax, dword ptr fs:[00000030h] 11_2_05108D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05054120 mov eax, dword ptr fs:[00000030h] 11_2_05054120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05054120 mov eax, dword ptr fs:[00000030h] 11_2_05054120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05054120 mov eax, dword ptr fs:[00000030h] 11_2_05054120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05054120 mov eax, dword ptr fs:[00000030h] 11_2_05054120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05054120 mov ecx, dword ptr fs:[00000030h] 11_2_05054120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05043D34 mov eax, dword ptr fs:[00000030h] 11_2_05043D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503AD30 mov eax, dword ptr fs:[00000030h] 11_2_0503AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FE539 mov eax, dword ptr fs:[00000030h] 11_2_050FE539
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506513A mov eax, dword ptr fs:[00000030h] 11_2_0506513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506513A mov eax, dword ptr fs:[00000030h] 11_2_0506513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050BA537 mov eax, dword ptr fs:[00000030h] 11_2_050BA537
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05064D3B mov eax, dword ptr fs:[00000030h] 11_2_05064D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05064D3B mov eax, dword ptr fs:[00000030h] 11_2_05064D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05064D3B mov eax, dword ptr fs:[00000030h] 11_2_05064D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505B944 mov eax, dword ptr fs:[00000030h] 11_2_0505B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505B944 mov eax, dword ptr fs:[00000030h] 11_2_0505B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05073D43 mov eax, dword ptr fs:[00000030h] 11_2_05073D43
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B3540 mov eax, dword ptr fs:[00000030h] 11_2_050B3540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05057D50 mov eax, dword ptr fs:[00000030h] 11_2_05057D50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503C962 mov eax, dword ptr fs:[00000030h] 11_2_0503C962
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503B171 mov eax, dword ptr fs:[00000030h] 11_2_0503B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503B171 mov eax, dword ptr fs:[00000030h] 11_2_0503B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505C577 mov eax, dword ptr fs:[00000030h] 11_2_0505C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505C577 mov eax, dword ptr fs:[00000030h] 11_2_0505C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506A185 mov eax, dword ptr fs:[00000030h] 11_2_0506A185
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505C182 mov eax, dword ptr fs:[00000030h] 11_2_0505C182
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05062581 mov eax, dword ptr fs:[00000030h] 11_2_05062581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05062581 mov eax, dword ptr fs:[00000030h] 11_2_05062581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05062581 mov eax, dword ptr fs:[00000030h] 11_2_05062581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05062581 mov eax, dword ptr fs:[00000030h] 11_2_05062581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h] 11_2_05032D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h] 11_2_05032D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h] 11_2_05032D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h] 11_2_05032D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05032D8A mov eax, dword ptr fs:[00000030h] 11_2_05032D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05062990 mov eax, dword ptr fs:[00000030h] 11_2_05062990
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506FD9B mov eax, dword ptr fs:[00000030h] 11_2_0506FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506FD9B mov eax, dword ptr fs:[00000030h] 11_2_0506FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050661A0 mov eax, dword ptr fs:[00000030h] 11_2_050661A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050661A0 mov eax, dword ptr fs:[00000030h] 11_2_050661A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050635A1 mov eax, dword ptr fs:[00000030h] 11_2_050635A1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B69A6 mov eax, dword ptr fs:[00000030h] 11_2_050B69A6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05061DB5 mov eax, dword ptr fs:[00000030h] 11_2_05061DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05061DB5 mov eax, dword ptr fs:[00000030h] 11_2_05061DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05061DB5 mov eax, dword ptr fs:[00000030h] 11_2_05061DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h] 11_2_050B51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h] 11_2_050B51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h] 11_2_050B51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B51BE mov eax, dword ptr fs:[00000030h] 11_2_050B51BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_051005AC mov eax, dword ptr fs:[00000030h] 11_2_051005AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_051005AC mov eax, dword ptr fs:[00000030h] 11_2_051005AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_050B6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_050B6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_050B6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6DC9 mov ecx, dword ptr fs:[00000030h] 11_2_050B6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_050B6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_050B6DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0503B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0503B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0503B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050C41E8 mov eax, dword ptr fs:[00000030h] 11_2_050C41E8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504D5E0 mov eax, dword ptr fs:[00000030h] 11_2_0504D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504D5E0 mov eax, dword ptr fs:[00000030h] 11_2_0504D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_050FFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_050FFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_050FFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_050FFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050E8DF1 mov eax, dword ptr fs:[00000030h] 11_2_050E8DF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h] 11_2_050B6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h] 11_2_050B6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h] 11_2_050B6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6C0A mov eax, dword ptr fs:[00000030h] 11_2_050B6C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05104015 mov eax, dword ptr fs:[00000030h] 11_2_05104015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05104015 mov eax, dword ptr fs:[00000030h] 11_2_05104015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1C06 mov eax, dword ptr fs:[00000030h] 11_2_050F1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B7016 mov eax, dword ptr fs:[00000030h] 11_2_050B7016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B7016 mov eax, dword ptr fs:[00000030h] 11_2_050B7016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B7016 mov eax, dword ptr fs:[00000030h] 11_2_050B7016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0510740D mov eax, dword ptr fs:[00000030h] 11_2_0510740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0510740D mov eax, dword ptr fs:[00000030h] 11_2_0510740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0510740D mov eax, dword ptr fs:[00000030h] 11_2_0510740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506BC2C mov eax, dword ptr fs:[00000030h] 11_2_0506BC2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506002D mov eax, dword ptr fs:[00000030h] 11_2_0506002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506002D mov eax, dword ptr fs:[00000030h] 11_2_0506002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506002D mov eax, dword ptr fs:[00000030h] 11_2_0506002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506002D mov eax, dword ptr fs:[00000030h] 11_2_0506002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506002D mov eax, dword ptr fs:[00000030h] 11_2_0506002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h] 11_2_0504B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h] 11_2_0504B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h] 11_2_0504B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504B02A mov eax, dword ptr fs:[00000030h] 11_2_0504B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506A44B mov eax, dword ptr fs:[00000030h] 11_2_0506A44B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05050050 mov eax, dword ptr fs:[00000030h] 11_2_05050050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05050050 mov eax, dword ptr fs:[00000030h] 11_2_05050050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CC450 mov eax, dword ptr fs:[00000030h] 11_2_050CC450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CC450 mov eax, dword ptr fs:[00000030h] 11_2_050CC450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05101074 mov eax, dword ptr fs:[00000030h] 11_2_05101074
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505746D mov eax, dword ptr fs:[00000030h] 11_2_0505746D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F2073 mov eax, dword ptr fs:[00000030h] 11_2_050F2073
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039080 mov eax, dword ptr fs:[00000030h] 11_2_05039080
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B3884 mov eax, dword ptr fs:[00000030h] 11_2_050B3884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B3884 mov eax, dword ptr fs:[00000030h] 11_2_050B3884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504849B mov eax, dword ptr fs:[00000030h] 11_2_0504849B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h] 11_2_050620A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h] 11_2_050620A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h] 11_2_050620A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h] 11_2_050620A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h] 11_2_050620A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050620A0 mov eax, dword ptr fs:[00000030h] 11_2_050620A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050790AF mov eax, dword ptr fs:[00000030h] 11_2_050790AF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506F0BF mov ecx, dword ptr fs:[00000030h] 11_2_0506F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506F0BF mov eax, dword ptr fs:[00000030h] 11_2_0506F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506F0BF mov eax, dword ptr fs:[00000030h] 11_2_0506F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05108CD6 mov eax, dword ptr fs:[00000030h] 11_2_05108CD6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_050CB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CB8D0 mov ecx, dword ptr fs:[00000030h] 11_2_050CB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_050CB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_050CB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_050CB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_050CB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050358EC mov eax, dword ptr fs:[00000030h] 11_2_050358EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F14FB mov eax, dword ptr fs:[00000030h] 11_2_050F14FB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6CF0 mov eax, dword ptr fs:[00000030h] 11_2_050B6CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6CF0 mov eax, dword ptr fs:[00000030h] 11_2_050B6CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B6CF0 mov eax, dword ptr fs:[00000030h] 11_2_050B6CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506A70E mov eax, dword ptr fs:[00000030h] 11_2_0506A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506A70E mov eax, dword ptr fs:[00000030h] 11_2_0506A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505F716 mov eax, dword ptr fs:[00000030h] 11_2_0505F716
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F131B mov eax, dword ptr fs:[00000030h] 11_2_050F131B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CFF10 mov eax, dword ptr fs:[00000030h] 11_2_050CFF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050CFF10 mov eax, dword ptr fs:[00000030h] 11_2_050CFF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0510070D mov eax, dword ptr fs:[00000030h] 11_2_0510070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0510070D mov eax, dword ptr fs:[00000030h] 11_2_0510070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05034F2E mov eax, dword ptr fs:[00000030h] 11_2_05034F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05034F2E mov eax, dword ptr fs:[00000030h] 11_2_05034F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506E730 mov eax, dword ptr fs:[00000030h] 11_2_0506E730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503DB40 mov eax, dword ptr fs:[00000030h] 11_2_0503DB40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504EF40 mov eax, dword ptr fs:[00000030h] 11_2_0504EF40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05108B58 mov eax, dword ptr fs:[00000030h] 11_2_05108B58
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503F358 mov eax, dword ptr fs:[00000030h] 11_2_0503F358
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503DB60 mov ecx, dword ptr fs:[00000030h] 11_2_0503DB60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504FF60 mov eax, dword ptr fs:[00000030h] 11_2_0504FF60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05108F6A mov eax, dword ptr fs:[00000030h] 11_2_05108F6A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05063B7A mov eax, dword ptr fs:[00000030h] 11_2_05063B7A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05063B7A mov eax, dword ptr fs:[00000030h] 11_2_05063B7A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F138A mov eax, dword ptr fs:[00000030h] 11_2_050F138A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05041B8F mov eax, dword ptr fs:[00000030h] 11_2_05041B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05041B8F mov eax, dword ptr fs:[00000030h] 11_2_05041B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050ED380 mov ecx, dword ptr fs:[00000030h] 11_2_050ED380
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05048794 mov eax, dword ptr fs:[00000030h] 11_2_05048794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05062397 mov eax, dword ptr fs:[00000030h] 11_2_05062397
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506B390 mov eax, dword ptr fs:[00000030h] 11_2_0506B390
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B7794 mov eax, dword ptr fs:[00000030h] 11_2_050B7794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B7794 mov eax, dword ptr fs:[00000030h] 11_2_050B7794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B7794 mov eax, dword ptr fs:[00000030h] 11_2_050B7794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05064BAD mov eax, dword ptr fs:[00000030h] 11_2_05064BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05064BAD mov eax, dword ptr fs:[00000030h] 11_2_05064BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05064BAD mov eax, dword ptr fs:[00000030h] 11_2_05064BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05105BA5 mov eax, dword ptr fs:[00000030h] 11_2_05105BA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B53CA mov eax, dword ptr fs:[00000030h] 11_2_050B53CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050B53CA mov eax, dword ptr fs:[00000030h] 11_2_050B53CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h] 11_2_050603E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h] 11_2_050603E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h] 11_2_050603E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h] 11_2_050603E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h] 11_2_050603E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050603E2 mov eax, dword ptr fs:[00000030h] 11_2_050603E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0505DBE9 mov eax, dword ptr fs:[00000030h] 11_2_0505DBE9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050737F5 mov eax, dword ptr fs:[00000030h] 11_2_050737F5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503C600 mov eax, dword ptr fs:[00000030h] 11_2_0503C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503C600 mov eax, dword ptr fs:[00000030h] 11_2_0503C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503C600 mov eax, dword ptr fs:[00000030h] 11_2_0503C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05068E00 mov eax, dword ptr fs:[00000030h] 11_2_05068E00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050F1608 mov eax, dword ptr fs:[00000030h] 11_2_050F1608
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05048A0A mov eax, dword ptr fs:[00000030h] 11_2_05048A0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05035210 mov eax, dword ptr fs:[00000030h] 11_2_05035210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05035210 mov ecx, dword ptr fs:[00000030h] 11_2_05035210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05035210 mov eax, dword ptr fs:[00000030h] 11_2_05035210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05035210 mov eax, dword ptr fs:[00000030h] 11_2_05035210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503AA16 mov eax, dword ptr fs:[00000030h] 11_2_0503AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503AA16 mov eax, dword ptr fs:[00000030h] 11_2_0503AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05053A1C mov eax, dword ptr fs:[00000030h] 11_2_05053A1C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506A61C mov eax, dword ptr fs:[00000030h] 11_2_0506A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0506A61C mov eax, dword ptr fs:[00000030h] 11_2_0506A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0503E620 mov eax, dword ptr fs:[00000030h] 11_2_0503E620
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05074A2C mov eax, dword ptr fs:[00000030h] 11_2_05074A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05074A2C mov eax, dword ptr fs:[00000030h] 11_2_05074A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050EFE3F mov eax, dword ptr fs:[00000030h] 11_2_050EFE3F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039240 mov eax, dword ptr fs:[00000030h] 11_2_05039240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039240 mov eax, dword ptr fs:[00000030h] 11_2_05039240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039240 mov eax, dword ptr fs:[00000030h] 11_2_05039240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05039240 mov eax, dword ptr fs:[00000030h] 11_2_05039240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h] 11_2_05047E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h] 11_2_05047E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h] 11_2_05047E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h] 11_2_05047E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h] 11_2_05047E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_05047E41 mov eax, dword ptr fs:[00000030h] 11_2_05047E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FAE44 mov eax, dword ptr fs:[00000030h] 11_2_050FAE44
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FAE44 mov eax, dword ptr fs:[00000030h] 11_2_050FAE44
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050FEA55 mov eax, dword ptr fs:[00000030h] 11_2_050FEA55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050C4257 mov eax, dword ptr fs:[00000030h] 11_2_050C4257
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_0504766D mov eax, dword ptr fs:[00000030h] 11_2_0504766D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050EB260 mov eax, dword ptr fs:[00000030h] 11_2_050EB260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_050EB260 mov eax, dword ptr fs:[00000030h] 11_2_050EB260
Enables debug privileges
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 202.66.173.116 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 94.23.162.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 118.27.99.84 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.91.239.112 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.106.16.223 80 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Memory written: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 13E0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Process created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe' Jump to behavior
Source: explorer.exe, 00000007.00000002.911089779.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp, explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000007.00000000.690773067.0000000001080000.00000002.00000001.sdmp, explorer.exe, 0000000B.00000002.912803078.0000000003750000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.711037304.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356555 Sample: 0O9BJfVJi6fEMoS.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 35 www.grandwhale.com 2->35 37 www.smallbathroomdecor.info 2->37 39 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 2->39 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 4 other signatures 2->53 11 0O9BJfVJi6fEMoS.exe 3 2->11         started        signatures3 process4 file5 33 C:\Users\user\...\0O9BJfVJi6fEMoS.exe.log, ASCII 11->33 dropped 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 0O9BJfVJi6fEMoS.exe 11->15         started        18 0O9BJfVJi6fEMoS.exe 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 20 explorer.exe 15->20 injected process9 dnsIp10 41 dgcsales.net 184.106.16.223, 49764, 80 RACKSPACEUS United States 20->41 43 www.besteprobioticakopen.online 94.23.162.163, 49770, 80 OVHFR France 20->43 45 17 other IPs or domains 20->45 55 System process connects to network (likely due to code injection or exploit) 20->55 24 explorer.exe 20->24         started        27 autofmt.exe 20->27         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 29 cmd.exe 1 24->29         started        process14 process15 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
202.66.173.116
unknown India
17439 NETMAGIC-APNetmagicDatacenterMumbaiIN true
35.246.6.109
unknown United States
15169 GOOGLEUS true
94.23.162.163
unknown France
16276 OVHFR true
118.27.99.84
unknown Japan 7506 INTERQGMOInternetIncJP true
160.153.136.3
unknown United States
21501 GODADDY-AMSDE true
142.91.239.112
unknown United States
395954 LEASEWEB-USA-LAX-11US true
23.227.38.74
unknown Canada
13335 CLOUDFLARENETUS true
34.102.136.180
unknown United States
15169 GOOGLEUS true
184.106.16.223
unknown United States
19994 RACKSPACEUS true

Contacted Domains

Name IP Active
www.horisan-touki.com 118.27.99.84 true
karthikeyainfraindia.com 202.66.173.116 true
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
www.besteprobioticakopen.online 94.23.162.163 true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 3.223.115.185 true
buysellleasewithlisa.com 160.153.136.3 true
www.fastenerspelosato.net 142.91.239.112 true
shops.myshopify.com 23.227.38.74 true
fertinvitro.doctor 34.102.136.180 true
dgcsales.net 184.106.16.223 true
www.smallbathroomdecor.info 88.214.207.96 true
www.sissysundays.com unknown unknown
www.whereinthezooareyou.com unknown unknown
www.buysellleasewithlisa.com unknown unknown
www.guilhermeoliveiro.site unknown unknown
www.grandwhale.com unknown unknown
www.dgcsales.net unknown unknown
www.fertinvitro.doctor unknown unknown
www.karthikeyainfraindia.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.fastenerspelosato.net/uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown
http://www.horisan-touki.com/uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown
http://www.buysellleasewithlisa.com/uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown
http://www.fertinvitro.doctor/uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown
http://www.whereinthezooareyou.com/uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown
http://www.sissysundays.com/uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown
www.besteprobioticakopen.online/uszn/ true
  • Avira URL Cloud: malware
low
http://www.karthikeyainfraindia.com/uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown
http://www.besteprobioticakopen.online/uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX true
  • Avira URL Cloud: malware
unknown
http://www.dgcsales.net/uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX true
  • Avira URL Cloud: safe
unknown