Analysis Report transferir copia_98087.exe

AV Detection:

Found malware configuration

Source: 1.2.transferir copia_98087.exe.400000.0.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.basiclablife.com/8zdn/"], "decoy": ["yourherogarden.net", "onlineharambee.net", "cerrajeriaurgencias24horas.com", "distritoforex.com", "verifyclientserverssr.com", "dandwg.com", "co2-zero.global", "joshssl.com", "meckwt.com", "theammf.com", "rawclectic.com", "gzgnetwork.com", "richmondavenuecoc.com", "nicolelyte.com", "thetinyclosetboutique.com", "llt-group.net", "seven-sky-design.com", "joganifinancialgrp.com", "elementsvapes.com", "bingent.info", "quaichshop.net", "unethicalsgsblaw.com", "matts.digital", "lexafit.com", "covidwanderings.com", "pk972.com", "fanashaadivine.com", "winharadesigns.com", "adosignite.com", "goldengatesimmigration.com", "unazampanelcuore.com", "gasexecutive.com", "sdps365.net", "worthingtonminnesota.com", "ducatsupply.com", "beijinghui1.icu", "hn-bet.com", "homeforsalesteamboat.com", "tiaozaoxinlingshou.net", "mrbils.net", "depuitycollector.com", "winningovereating.com", "usedonlyrvs.com", "verbinoz.com", "threepocketmedia.com", "lizbing.com", "fivestardogfoods.com", "edevercal.net", "irisettelment.com", "beautyphernalia.com", "terrawindglobalprotection.net", "floridaindian.com", "kidzistore.com", "kulisbet117.com", "logingatech.info", "ftdk.net", "lawwise.legal", "bruthawar.com", "lemonpublishing.com", "6781529.com", "zfxsotc.com", "shroomsdrop.com", "ahm-app.com", "finesilversmith.com"]}

Multi AV Scanner detection for submitted file

Source: transferir copia_98087.exe	Virustotal: Detection: 22%			Perma Link
Source: transferir copia_98087.exe	ReversingLabs: Detection: 12%

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.transferir copia_98087.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: transferir copia_98087.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: transferir copia_98087.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: msdt.pdbGCTL source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: transferir copia_98087.exe, 00000001.00000002.271679191.00000000019E0000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.483918470.0000000004950000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: transferir copia_98087.exe, msdt.exe
Source:	Binary string: msdt.pdb source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 4x nop then pop edi		1_2_004162C2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi		5_2_025262C2

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.basiclablife.com/8zdn/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=SUc3155gDWt5wcoflZcZzViJ8x0waKhO+xEIOi+15/K5BoZoLZ14fR9wugBfYGntPchb&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.unazampanelcuore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=/2j9R2c14anpqf93w73dauHGA2TQKIR5Q7oZ32qrr3zEGdcNMDJzBydR7UkO3mu0OgLM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.floridaindian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=tcuwTISCal6Za70kmDoHryScybsdFOei7/WOW4uZGfRR2kwAWg6MdyjVPec/+BbHDhr0&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.quaichshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=VcGUHpmld1zswDwg40mcNwm1CX0p/o+pgHyf/FjbYLUTXfqCXvPFwiBdk0mlGpZRYzTf&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.basiclablife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=XOXl3Nuj7M9zcIBR6B45qltQ4dmo97Szsxf/DI8gOGgyBhu8HbEkl8wbqGipvTOnLwwM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.elementsvapes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hIXmrhUyU1aP5+vldRGL92fa8Yv5W8V1zdDiddkx2jBPb190TW7wCmtqgCRS1U4M3bOQ&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.hn-bet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hAX0XCk4QOcgLnZ0keH4mYw4W1HPTbDogNdlOttC2YdmEpNB6eRk1m0w/4WJXRKcYwe6&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.gasexecutive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=eGnYEUgg+wSQcZ375yCgdfFf6E1Kt+cpyPOB6e9JmwPPtBsaC8CQtumAL6bFnIfy9ObU&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.shroomsdrop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 46.23.69.44 46.23.69.44
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UK2NET-ASGB UK2NET-ASGB

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=SUc3155gDWt5wcoflZcZzViJ8x0waKhO+xEIOi+15/K5BoZoLZ14fR9wugBfYGntPchb&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.unazampanelcuore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=/2j9R2c14anpqf93w73dauHGA2TQKIR5Q7oZ32qrr3zEGdcNMDJzBydR7UkO3mu0OgLM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.floridaindian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=tcuwTISCal6Za70kmDoHryScybsdFOei7/WOW4uZGfRR2kwAWg6MdyjVPec/+BbHDhr0&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.quaichshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=VcGUHpmld1zswDwg40mcNwm1CX0p/o+pgHyf/FjbYLUTXfqCXvPFwiBdk0mlGpZRYzTf&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.basiclablife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=XOXl3Nuj7M9zcIBR6B45qltQ4dmo97Szsxf/DI8gOGgyBhu8HbEkl8wbqGipvTOnLwwM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.elementsvapes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hIXmrhUyU1aP5+vldRGL92fa8Yv5W8V1zdDiddkx2jBPb190TW7wCmtqgCRS1U4M3bOQ&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.hn-bet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=hAX0XCk4QOcgLnZ0keH4mYw4W1HPTbDogNdlOttC2YdmEpNB6eRk1m0w/4WJXRKcYwe6&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.gasexecutive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /8zdn/?kH=eGnYEUgg+wSQcZ375yCgdfFf6E1Kt+cpyPOB6e9JmwPPtBsaC8CQtumAL6bFnIfy9ObU&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.shroomsdrop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.unazampanelcuore.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 16:22:34 GMTContent-Type: text/htmlContent-Length: 498Connection: closeLast-Modified: Mon, 01 Dec 2014 15:09:45 GMTChimera-API-Server: api1.uk.chimera.uk2group.comX-Powered-By: Perl Dancer 1.3512Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 3c 70 3e 53 6f 72 72 79 2c 20 74 68 69 73 20 69 73 20 74 68 65 20 76 6f 69 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 50 6f 77 65 72 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 65 72 6c 64 61 6e 63 65 72 2e 6f 72 67 2f 22 3e 44 61 6e 63 65 72 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Error 404</title><link rel="stylesheet" href="/css/error.css" /><meta http-equiv="Content-type" content="text/html; charset=UTF-8" /></head><body><h1>Error 404</h1><div id="content"><h2>Page Not Found</h2><p>Sorry, this is the void.</p></div><div id="footer">Powered by <a href="http://perldancer.org/">Dancer</a></div></body></html>

Urls found in memory or binary data

Source: explorer.exe, 00000002.00000000.257307365.000000000F6E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: transferir copia_98087.exe	String found in binary or memory: http://qunect.com/download/QuNect.exe
Source: transferir copia_98087.exe	String found in binary or memory: http://qunect.com/download/QuNect.exeMOperation
Source: transferir copia_98087.exe	String found in binary or memory: http://validator.w3.org/check?uri=referer
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: transferir copia_98087.exe, 00000000.00000002.226153911.0000000001707000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comoj
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: transferir copia_98087.exe, 00000000.00000003.213165665.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comaN
Source: transferir copia_98087.exe, 00000000.00000003.213165665.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comn6
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, transferir copia_98087.exe, 00000000.00000003.214660820.0000000005F6E000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: transferir copia_98087.exe, 00000000.00000003.214660820.0000000005F6E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn?
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: msdt.exe, 00000005.00000002.482494718.0000000002B17000.00000004.00000020.sdmp	String found in binary or memory: http://www.tiaozaoxinlingshou.net/8zdn/?kH=/eNJxuqSWy6YBrvXrJK0
Source: explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: transferir copia_98087.exe, 00000000.00000003.213582395.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comFa
Source: transferir copia_98087.exe, 00000000.00000003.213440315.0000000005F7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comj
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: transferir copia_98087.exe, 00000000.00000002.225323893.0000000001438000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004181C0 NtCreateFile,		1_2_004181C0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00418270 NtReadFile,		1_2_00418270
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004182F0 NtClose,		1_2_004182F0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004183A0 NtAllocateVirtualMemory,		1_2_004183A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00418212 NtReadFile,		1_2_00418212
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_004182EF NtClose,		1_2_004182EF
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041839B NtAllocateVirtualMemory,		1_2_0041839B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A499A0 NtCreateSection,LdrInitializeThunk,		1_2_01A499A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A495D0 NtClose,LdrInitializeThunk,		1_2_01A495D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,		1_2_01A49910
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49540 NtReadFile,LdrInitializeThunk,		1_2_01A49540
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A498F0 NtReadVirtualMemory,LdrInitializeThunk,		1_2_01A498F0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49860 NtQuerySystemInformation,LdrInitializeThunk,		1_2_01A49860
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49840 NtDelayExecution,LdrInitializeThunk,		1_2_01A49840
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A497A0 NtUnmapViewOfSection,LdrInitializeThunk,		1_2_01A497A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49780 NtMapViewOfSection,LdrInitializeThunk,		1_2_01A49780
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49FE0 NtCreateMutant,LdrInitializeThunk,		1_2_01A49FE0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49710 NtQueryInformationToken,LdrInitializeThunk,		1_2_01A49710
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A496E0 NtFreeVirtualMemory,LdrInitializeThunk,		1_2_01A496E0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A20 NtResumeThread,LdrInitializeThunk,		1_2_01A49A20
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A00 NtProtectVirtualMemory,LdrInitializeThunk,		1_2_01A49A00
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49660 NtAllocateVirtualMemory,LdrInitializeThunk,		1_2_01A49660
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A50 NtCreateFile,LdrInitializeThunk,		1_2_01A49A50
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A495F0 NtQueryInformationFile,		1_2_01A495F0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A499D0 NtCreateProcessEx,		1_2_01A499D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49520 NtWaitForSingleObject,		1_2_01A49520
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4AD30 NtSetContextThread,		1_2_01A4AD30
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49560 NtWriteFile,		1_2_01A49560
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49950 NtQueueApcThread,		1_2_01A49950
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A498A0 NtWriteVirtualMemory,		1_2_01A498A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49820 NtEnumerateKey,		1_2_01A49820
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4B040 NtSuspendThread,		1_2_01A4B040
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4A3B0 NtGetContextThread,		1_2_01A4A3B0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49730 NtQueryVirtualMemory,		1_2_01A49730
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49B00 NtSetValueKey,		1_2_01A49B00
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4A710 NtOpenProcessToken,		1_2_01A4A710
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49760 NtOpenProcess,		1_2_01A49760
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49770 NtSetInformationFile,		1_2_01A49770
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4A770 NtOpenThread,		1_2_01A4A770
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A80 NtOpenDirectoryObject,		1_2_01A49A80
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A496D0 NtCreateKey,		1_2_01A496D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49610 NtEnumerateValueKey,		1_2_01A49610
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49A10 NtQuerySection,		1_2_01A49A10
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49670 NtQueryInformationProcess,		1_2_01A49670
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A49650 NtQueryValueKey,		1_2_01A49650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B95D0 NtClose,LdrInitializeThunk,		5_2_049B95D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9540 NtReadFile,LdrInitializeThunk,		5_2_049B9540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B96D0 NtCreateKey,LdrInitializeThunk,		5_2_049B96D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B96E0 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_049B96E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9650 NtQueryValueKey,LdrInitializeThunk,		5_2_049B9650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9660 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_049B9660
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9780 NtMapViewOfSection,LdrInitializeThunk,		5_2_049B9780
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9FE0 NtCreateMutant,LdrInitializeThunk,		5_2_049B9FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9710 NtQueryInformationToken,LdrInitializeThunk,		5_2_049B9710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9840 NtDelayExecution,LdrInitializeThunk,		5_2_049B9840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9860 NtQuerySystemInformation,LdrInitializeThunk,		5_2_049B9860
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B99A0 NtCreateSection,LdrInitializeThunk,		5_2_049B99A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_049B9910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A50 NtCreateFile,LdrInitializeThunk,		5_2_049B9A50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B95F0 NtQueryInformationFile,		5_2_049B95F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BAD30 NtSetContextThread,		5_2_049BAD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9520 NtWaitForSingleObject,		5_2_049B9520
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9560 NtWriteFile,		5_2_049B9560
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9610 NtEnumerateValueKey,		5_2_049B9610
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9670 NtQueryInformationProcess,		5_2_049B9670
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B97A0 NtUnmapViewOfSection,		5_2_049B97A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BA710 NtOpenProcessToken,		5_2_049BA710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9730 NtQueryVirtualMemory,		5_2_049B9730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BA770 NtOpenThread,		5_2_049BA770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9770 NtSetInformationFile,		5_2_049B9770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9760 NtOpenProcess,		5_2_049B9760
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B98A0 NtWriteVirtualMemory,		5_2_049B98A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B98F0 NtReadVirtualMemory,		5_2_049B98F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9820 NtEnumerateKey,		5_2_049B9820
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BB040 NtSuspendThread,		5_2_049BB040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B99D0 NtCreateProcessEx,		5_2_049B99D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9950 NtQueueApcThread,		5_2_049B9950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A80 NtOpenDirectoryObject,		5_2_049B9A80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A10 NtQuerySection,		5_2_049B9A10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A00 NtProtectVirtualMemory,		5_2_049B9A00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9A20 NtResumeThread,		5_2_049B9A20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049BA3B0 NtGetContextThread,		5_2_049BA3B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B9B00 NtSetValueKey,		5_2_049B9B00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02528270 NtReadFile,		5_2_02528270
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025282F0 NtClose,		5_2_025282F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025283A0 NtAllocateVirtualMemory,		5_2_025283A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025281C0 NtCreateFile,		5_2_025281C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02528212 NtReadFile,		5_2_02528212
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_025282EF NtClose,		5_2_025282EF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252839B NtAllocateVirtualMemory,		5_2_0252839B

Detected potential crypto function

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_0308F371		0_2_0308F371
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_0308F380		0_2_0308F380
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_0308D0F4		0_2_0308D0F4
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_05A4F4F8		0_2_05A4F4F8
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_05A4B6A0		0_2_05A4B6A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 0_2_05A4C180		0_2_05A4C180
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00401030		1_2_00401030
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041B984		1_2_0041B984
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041C220		1_2_0041C220
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041BC52		1_2_0041BC52
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00408C5B		1_2_00408C5B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00408C60		1_2_00408C60
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041CC9E		1_2_0041CC9E
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041C537		1_2_0041C537
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00402D90		1_2_00402D90
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041BE70		1_2_0041BE70
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041CF66		1_2_0041CF66
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041BF90		1_2_0041BF90
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00402FB0		1_2_00402FB0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32581		1_2_01A32581
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1D5E0		1_2_01A1D5E0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD25DD		1_2_01AD25DD
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A00D20		1_2_01A00D20
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A24120		1_2_01A24120
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0F900		1_2_01A0F900
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD2D07		1_2_01AD2D07
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD1D55		1_2_01AD1D55
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0		1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD20A8		1_2_01AD20A8
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1B090		1_2_01A1B090
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD28EC		1_2_01AD28EC
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1002		1_2_01AC1002
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1841F		1_2_01A1841F
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3EBB0		1_2_01A3EBB0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD1FF1		1_2_01AD1FF1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACDBD2		1_2_01ACDBD2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD2B28		1_2_01AD2B28
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD22AE		1_2_01AD22AE
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD2EF7		1_2_01AD2EF7
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A26E30		1_2_01A26E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498841F		5_2_0498841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3D466		5_2_04A3D466
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A2581		5_2_049A2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498D5E0		5_2_0498D5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A425DD		5_2_04A425DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A42D07		5_2_04A42D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04970D20		5_2_04970D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A41D55		5_2_04A41D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A42EF7		5_2_04A42EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04996E30		5_2_04996E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3D616		5_2_04A3D616
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A41FF1		5_2_04A41FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4DFCE		5_2_04A4DFCE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498B090		5_2_0498B090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A420A8		5_2_04A420A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0		5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A428EC		5_2_04A428EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4E824		5_2_04A4E824
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31002		5_2_04A31002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A830		5_2_0499A830
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0497F900		5_2_0497F900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04994120		5_2_04994120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A422AE		5_2_04A422AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34AEF		5_2_04A34AEF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A2FA2B		5_2_04A2FA2B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AEBB0		5_2_049AEBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A223E3		5_2_04A223E3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AABD8		5_2_049AABD8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3DBD2		5_2_04A3DBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A303DA		5_2_04A303DA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A42B28		5_2_04A42B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A309		5_2_0499A309
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499AB40		5_2_0499AB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252B984		5_2_0252B984
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252CF66		5_2_0252CF66
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252BF90		5_2_0252BF90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02512FB0		5_2_02512FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02518C5B		5_2_02518C5B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02518C60		5_2_02518C60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252CC9E		5_2_0252CC9E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252C537		5_2_0252C537
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02512D90		5_2_02512D90

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 0497B150 appears 124 times
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: String function: 01A0B150 appears 35 times

Sample file is different than original file name gathered from version info

Source: transferir copia_98087.exe, 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.225323893.0000000001438000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.233022672.0000000008EC0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.232951484.0000000008E90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000000.00000002.223882180.0000000000D24000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000001.00000000.223139596.0000000000FA4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000001.00000002.271869350.0000000001AFF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs transferir copia_98087.exe
Source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs transferir copia_98087.exe
Source: transferir copia_98087.exe	Binary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe

Uses 32bit PE files

Source: transferir copia_98087.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: transferir copia_98087.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@12/9

Creates files inside the user directory

Source: C:\Users\user\Desktop\transferir copia_98087.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\transferir copia_98087.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_01

PE file has an executable .text section and no other executable section

Source: transferir copia_98087.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Sample is known by Antivirus

Source: transferir copia_98087.exe	Virustotal: Detection: 22%
Source: transferir copia_98087.exe	ReversingLabs: Detection: 12%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\transferir copia_98087.exe 'C:\Users\user\Desktop\transferir copia_98087.exe'
Source: unknown	Process created: C:\Users\user\Desktop\transferir copia_98087.exe C:\Users\user\Desktop\transferir copia_98087.exe
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\transferir copia_98087.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process created: C:\Users\user\Desktop\transferir copia_98087.exe C:\Users\user\Desktop\transferir copia_98087.exe			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\transferir copia_98087.exe'			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\transferir copia_98087.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: transferir copia_98087.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: transferir copia_98087.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: msdt.pdbGCTL source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: transferir copia_98087.exe, 00000001.00000002.271679191.00000000019E0000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.483918470.0000000004950000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: transferir copia_98087.exe, msdt.exe
Source:	Binary string: msdt.pdb source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00415140 push ss; ret		1_2_00415141
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_00416A29 push ds; iretd		1_2_00416A2D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041B3B5 push eax; ret		1_2_0041B408
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041B46C push eax; ret		1_2_0041B472
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041B402 push eax; ret		1_2_0041B408
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_0041B40B push eax; ret		1_2_0041B472
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A5D0D1 push ecx; ret		1_2_01A5D0E4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049CD0D1 push ecx; ret		5_2_049CD0E4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02526A29 push ds; iretd		5_2_02526A2D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252C307 push DC2F2D13h; retf		5_2_0252C30C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252B3B5 push eax; ret		5_2_0252B408
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_02525140 push ss; ret		5_2_02525141
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252B46C push eax; ret		5_2_0252B472
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252B402 push eax; ret		5_2_0252B408
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0252B40B push eax; ret		5_2_0252B472

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.53410311595

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Source: Yara match	File source: 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferir copia_98087.exe PID: 3096, type: MEMORY
Source: Yara match	File source: 0.2.transferir copia_98087.exe.317996c.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\transferir copia_98087.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\transferir copia_98087.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 00000000025185E4 second address: 00000000025185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 000000000251897E second address: 0000000002518984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\transferir copia_98087.exe TID: 3120	Thread sleep time: -100155s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe TID: 3560	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 5992	Thread sleep time: -40000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe

Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000002.00000000.251439576.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.251439576.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: msdt.exe, 00000005.00000002.482802517.0000000002BB2000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWx
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.249663630.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.250494165.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000002.00000002.496799071.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: msdt.exe, 00000005.00000002.482909063.0000000002BDE000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000002.00000000.251439576.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000002.00000000.251439576.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.252060562.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000002.00000002.496919914.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000000.249663630.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.249663630.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.249663630.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Code function: 1_2_004088B0 rdtsc

1_2_004088B0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Code function: 1_2_00409B20 LdrLoadDll,

1_2_00409B20

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD05AC mov eax, dword ptr fs:[00000030h]		1_2_01AD05AC
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD05AC mov eax, dword ptr fs:[00000030h]		1_2_01AD05AC
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A335A1 mov eax, dword ptr fs:[00000030h]		1_2_01A335A1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A361A0 mov eax, dword ptr fs:[00000030h]		1_2_01A361A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A361A0 mov eax, dword ptr fs:[00000030h]		1_2_01A361A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A869A6 mov eax, dword ptr fs:[00000030h]		1_2_01A869A6
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A31DB5 mov eax, dword ptr fs:[00000030h]		1_2_01A31DB5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A31DB5 mov eax, dword ptr fs:[00000030h]		1_2_01A31DB5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A31DB5 mov eax, dword ptr fs:[00000030h]		1_2_01A31DB5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A851BE mov eax, dword ptr fs:[00000030h]		1_2_01A851BE
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A851BE mov eax, dword ptr fs:[00000030h]		1_2_01A851BE
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A851BE mov eax, dword ptr fs:[00000030h]		1_2_01A851BE
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A851BE mov eax, dword ptr fs:[00000030h]		1_2_01A851BE
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2C182 mov eax, dword ptr fs:[00000030h]		1_2_01A2C182
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32581 mov eax, dword ptr fs:[00000030h]		1_2_01A32581
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32581 mov eax, dword ptr fs:[00000030h]		1_2_01A32581
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32581 mov eax, dword ptr fs:[00000030h]		1_2_01A32581
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32581 mov eax, dword ptr fs:[00000030h]		1_2_01A32581
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3A185 mov eax, dword ptr fs:[00000030h]		1_2_01A3A185
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A02D8A mov eax, dword ptr fs:[00000030h]		1_2_01A02D8A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A02D8A mov eax, dword ptr fs:[00000030h]		1_2_01A02D8A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A02D8A mov eax, dword ptr fs:[00000030h]		1_2_01A02D8A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A02D8A mov eax, dword ptr fs:[00000030h]		1_2_01A02D8A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A02D8A mov eax, dword ptr fs:[00000030h]		1_2_01A02D8A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32990 mov eax, dword ptr fs:[00000030h]		1_2_01A32990
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3FD9B mov eax, dword ptr fs:[00000030h]		1_2_01A3FD9B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3FD9B mov eax, dword ptr fs:[00000030h]		1_2_01A3FD9B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0B1E1 mov eax, dword ptr fs:[00000030h]		1_2_01A0B1E1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0B1E1 mov eax, dword ptr fs:[00000030h]		1_2_01A0B1E1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0B1E1 mov eax, dword ptr fs:[00000030h]		1_2_01A0B1E1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A941E8 mov eax, dword ptr fs:[00000030h]		1_2_01A941E8
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1D5E0 mov eax, dword ptr fs:[00000030h]		1_2_01A1D5E0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1D5E0 mov eax, dword ptr fs:[00000030h]		1_2_01A1D5E0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACFDE2 mov eax, dword ptr fs:[00000030h]		1_2_01ACFDE2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACFDE2 mov eax, dword ptr fs:[00000030h]		1_2_01ACFDE2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACFDE2 mov eax, dword ptr fs:[00000030h]		1_2_01ACFDE2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACFDE2 mov eax, dword ptr fs:[00000030h]		1_2_01ACFDE2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AB8DF1 mov eax, dword ptr fs:[00000030h]		1_2_01AB8DF1
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86DC9 mov eax, dword ptr fs:[00000030h]		1_2_01A86DC9
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86DC9 mov eax, dword ptr fs:[00000030h]		1_2_01A86DC9
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86DC9 mov eax, dword ptr fs:[00000030h]		1_2_01A86DC9
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86DC9 mov ecx, dword ptr fs:[00000030h]		1_2_01A86DC9
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86DC9 mov eax, dword ptr fs:[00000030h]		1_2_01A86DC9
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86DC9 mov eax, dword ptr fs:[00000030h]		1_2_01A86DC9
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A24120 mov eax, dword ptr fs:[00000030h]		1_2_01A24120
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A24120 mov eax, dword ptr fs:[00000030h]		1_2_01A24120
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A24120 mov eax, dword ptr fs:[00000030h]		1_2_01A24120
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A24120 mov eax, dword ptr fs:[00000030h]		1_2_01A24120
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A24120 mov ecx, dword ptr fs:[00000030h]		1_2_01A24120
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0AD30 mov eax, dword ptr fs:[00000030h]		1_2_01A0AD30
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A13D34 mov eax, dword ptr fs:[00000030h]		1_2_01A13D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACE539 mov eax, dword ptr fs:[00000030h]		1_2_01ACE539
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A34D3B mov eax, dword ptr fs:[00000030h]		1_2_01A34D3B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A34D3B mov eax, dword ptr fs:[00000030h]		1_2_01A34D3B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A34D3B mov eax, dword ptr fs:[00000030h]		1_2_01A34D3B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD8D34 mov eax, dword ptr fs:[00000030h]		1_2_01AD8D34
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3513A mov eax, dword ptr fs:[00000030h]		1_2_01A3513A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3513A mov eax, dword ptr fs:[00000030h]		1_2_01A3513A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A8A537 mov eax, dword ptr fs:[00000030h]		1_2_01A8A537
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09100 mov eax, dword ptr fs:[00000030h]		1_2_01A09100
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09100 mov eax, dword ptr fs:[00000030h]		1_2_01A09100
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09100 mov eax, dword ptr fs:[00000030h]		1_2_01A09100
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0C962 mov eax, dword ptr fs:[00000030h]		1_2_01A0C962
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0B171 mov eax, dword ptr fs:[00000030h]		1_2_01A0B171
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0B171 mov eax, dword ptr fs:[00000030h]		1_2_01A0B171
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2C577 mov eax, dword ptr fs:[00000030h]		1_2_01A2C577
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2C577 mov eax, dword ptr fs:[00000030h]		1_2_01A2C577
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2B944 mov eax, dword ptr fs:[00000030h]		1_2_01A2B944
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2B944 mov eax, dword ptr fs:[00000030h]		1_2_01A2B944
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A43D43 mov eax, dword ptr fs:[00000030h]		1_2_01A43D43
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A83540 mov eax, dword ptr fs:[00000030h]		1_2_01A83540
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A27D50 mov eax, dword ptr fs:[00000030h]		1_2_01A27D50
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0 mov eax, dword ptr fs:[00000030h]		1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0 mov eax, dword ptr fs:[00000030h]		1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0 mov eax, dword ptr fs:[00000030h]		1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0 mov eax, dword ptr fs:[00000030h]		1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0 mov eax, dword ptr fs:[00000030h]		1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A320A0 mov eax, dword ptr fs:[00000030h]		1_2_01A320A0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A490AF mov eax, dword ptr fs:[00000030h]		1_2_01A490AF
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3F0BF mov ecx, dword ptr fs:[00000030h]		1_2_01A3F0BF
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3F0BF mov eax, dword ptr fs:[00000030h]		1_2_01A3F0BF
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3F0BF mov eax, dword ptr fs:[00000030h]		1_2_01A3F0BF
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09080 mov eax, dword ptr fs:[00000030h]		1_2_01A09080
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A83884 mov eax, dword ptr fs:[00000030h]		1_2_01A83884
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A83884 mov eax, dword ptr fs:[00000030h]		1_2_01A83884
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1849B mov eax, dword ptr fs:[00000030h]		1_2_01A1849B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A058EC mov eax, dword ptr fs:[00000030h]		1_2_01A058EC
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC14FB mov eax, dword ptr fs:[00000030h]		1_2_01AC14FB
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86CF0 mov eax, dword ptr fs:[00000030h]		1_2_01A86CF0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86CF0 mov eax, dword ptr fs:[00000030h]		1_2_01A86CF0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86CF0 mov eax, dword ptr fs:[00000030h]		1_2_01A86CF0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9B8D0 mov eax, dword ptr fs:[00000030h]		1_2_01A9B8D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9B8D0 mov ecx, dword ptr fs:[00000030h]		1_2_01A9B8D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9B8D0 mov eax, dword ptr fs:[00000030h]		1_2_01A9B8D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9B8D0 mov eax, dword ptr fs:[00000030h]		1_2_01A9B8D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9B8D0 mov eax, dword ptr fs:[00000030h]		1_2_01A9B8D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9B8D0 mov eax, dword ptr fs:[00000030h]		1_2_01A9B8D0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD8CD6 mov eax, dword ptr fs:[00000030h]		1_2_01AD8CD6
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1B02A mov eax, dword ptr fs:[00000030h]		1_2_01A1B02A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1B02A mov eax, dword ptr fs:[00000030h]		1_2_01A1B02A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1B02A mov eax, dword ptr fs:[00000030h]		1_2_01A1B02A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1B02A mov eax, dword ptr fs:[00000030h]		1_2_01A1B02A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3002D mov eax, dword ptr fs:[00000030h]		1_2_01A3002D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3002D mov eax, dword ptr fs:[00000030h]		1_2_01A3002D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3002D mov eax, dword ptr fs:[00000030h]		1_2_01A3002D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3002D mov eax, dword ptr fs:[00000030h]		1_2_01A3002D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3002D mov eax, dword ptr fs:[00000030h]		1_2_01A3002D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3BC2C mov eax, dword ptr fs:[00000030h]		1_2_01A3BC2C
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD740D mov eax, dword ptr fs:[00000030h]		1_2_01AD740D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD740D mov eax, dword ptr fs:[00000030h]		1_2_01AD740D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD740D mov eax, dword ptr fs:[00000030h]		1_2_01AD740D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86C0A mov eax, dword ptr fs:[00000030h]		1_2_01A86C0A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86C0A mov eax, dword ptr fs:[00000030h]		1_2_01A86C0A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86C0A mov eax, dword ptr fs:[00000030h]		1_2_01A86C0A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A86C0A mov eax, dword ptr fs:[00000030h]		1_2_01A86C0A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1C06 mov eax, dword ptr fs:[00000030h]		1_2_01AC1C06
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD4015 mov eax, dword ptr fs:[00000030h]		1_2_01AD4015
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD4015 mov eax, dword ptr fs:[00000030h]		1_2_01AD4015
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A87016 mov eax, dword ptr fs:[00000030h]		1_2_01A87016
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A87016 mov eax, dword ptr fs:[00000030h]		1_2_01A87016
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A87016 mov eax, dword ptr fs:[00000030h]		1_2_01A87016
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2746D mov eax, dword ptr fs:[00000030h]		1_2_01A2746D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD1074 mov eax, dword ptr fs:[00000030h]		1_2_01AD1074
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC2073 mov eax, dword ptr fs:[00000030h]		1_2_01AC2073
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3A44B mov eax, dword ptr fs:[00000030h]		1_2_01A3A44B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A20050 mov eax, dword ptr fs:[00000030h]		1_2_01A20050
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A20050 mov eax, dword ptr fs:[00000030h]		1_2_01A20050
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9C450 mov eax, dword ptr fs:[00000030h]		1_2_01A9C450
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9C450 mov eax, dword ptr fs:[00000030h]		1_2_01A9C450
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD5BA5 mov eax, dword ptr fs:[00000030h]		1_2_01AD5BA5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A34BAD mov eax, dword ptr fs:[00000030h]		1_2_01A34BAD
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A34BAD mov eax, dword ptr fs:[00000030h]		1_2_01A34BAD
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A34BAD mov eax, dword ptr fs:[00000030h]		1_2_01A34BAD
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC138A mov eax, dword ptr fs:[00000030h]		1_2_01AC138A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ABD380 mov ecx, dword ptr fs:[00000030h]		1_2_01ABD380
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A11B8F mov eax, dword ptr fs:[00000030h]		1_2_01A11B8F
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A11B8F mov eax, dword ptr fs:[00000030h]		1_2_01A11B8F
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3B390 mov eax, dword ptr fs:[00000030h]		1_2_01A3B390
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32397 mov eax, dword ptr fs:[00000030h]		1_2_01A32397
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A18794 mov eax, dword ptr fs:[00000030h]		1_2_01A18794
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A87794 mov eax, dword ptr fs:[00000030h]		1_2_01A87794
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A87794 mov eax, dword ptr fs:[00000030h]		1_2_01A87794
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A87794 mov eax, dword ptr fs:[00000030h]		1_2_01A87794
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A303E2 mov eax, dword ptr fs:[00000030h]		1_2_01A303E2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A303E2 mov eax, dword ptr fs:[00000030h]		1_2_01A303E2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A303E2 mov eax, dword ptr fs:[00000030h]		1_2_01A303E2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A303E2 mov eax, dword ptr fs:[00000030h]		1_2_01A303E2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A303E2 mov eax, dword ptr fs:[00000030h]		1_2_01A303E2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A303E2 mov eax, dword ptr fs:[00000030h]		1_2_01A303E2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2DBE9 mov eax, dword ptr fs:[00000030h]		1_2_01A2DBE9
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A437F5 mov eax, dword ptr fs:[00000030h]		1_2_01A437F5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A853CA mov eax, dword ptr fs:[00000030h]		1_2_01A853CA
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A853CA mov eax, dword ptr fs:[00000030h]		1_2_01A853CA
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A04F2E mov eax, dword ptr fs:[00000030h]		1_2_01A04F2E
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A04F2E mov eax, dword ptr fs:[00000030h]		1_2_01A04F2E
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3E730 mov eax, dword ptr fs:[00000030h]		1_2_01A3E730
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD070D mov eax, dword ptr fs:[00000030h]		1_2_01AD070D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD070D mov eax, dword ptr fs:[00000030h]		1_2_01AD070D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3A70E mov eax, dword ptr fs:[00000030h]		1_2_01A3A70E
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3A70E mov eax, dword ptr fs:[00000030h]		1_2_01A3A70E
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2F716 mov eax, dword ptr fs:[00000030h]		1_2_01A2F716
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC131B mov eax, dword ptr fs:[00000030h]		1_2_01AC131B
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9FF10 mov eax, dword ptr fs:[00000030h]		1_2_01A9FF10
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9FF10 mov eax, dword ptr fs:[00000030h]		1_2_01A9FF10
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0DB60 mov ecx, dword ptr fs:[00000030h]		1_2_01A0DB60
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1FF60 mov eax, dword ptr fs:[00000030h]		1_2_01A1FF60
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD8F6A mov eax, dword ptr fs:[00000030h]		1_2_01AD8F6A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A33B7A mov eax, dword ptr fs:[00000030h]		1_2_01A33B7A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A33B7A mov eax, dword ptr fs:[00000030h]		1_2_01A33B7A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0DB40 mov eax, dword ptr fs:[00000030h]		1_2_01A0DB40
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1EF40 mov eax, dword ptr fs:[00000030h]		1_2_01A1EF40
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD8B58 mov eax, dword ptr fs:[00000030h]		1_2_01AD8B58
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0F358 mov eax, dword ptr fs:[00000030h]		1_2_01A0F358
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A052A5 mov eax, dword ptr fs:[00000030h]		1_2_01A052A5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A052A5 mov eax, dword ptr fs:[00000030h]		1_2_01A052A5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A052A5 mov eax, dword ptr fs:[00000030h]		1_2_01A052A5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A052A5 mov eax, dword ptr fs:[00000030h]		1_2_01A052A5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A052A5 mov eax, dword ptr fs:[00000030h]		1_2_01A052A5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD0EA5 mov eax, dword ptr fs:[00000030h]		1_2_01AD0EA5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD0EA5 mov eax, dword ptr fs:[00000030h]		1_2_01AD0EA5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD0EA5 mov eax, dword ptr fs:[00000030h]		1_2_01AD0EA5
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A846A7 mov eax, dword ptr fs:[00000030h]		1_2_01A846A7
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1AAB0 mov eax, dword ptr fs:[00000030h]		1_2_01A1AAB0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1AAB0 mov eax, dword ptr fs:[00000030h]		1_2_01A1AAB0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3FAB0 mov eax, dword ptr fs:[00000030h]		1_2_01A3FAB0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A9FE87 mov eax, dword ptr fs:[00000030h]		1_2_01A9FE87
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3D294 mov eax, dword ptr fs:[00000030h]		1_2_01A3D294
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3D294 mov eax, dword ptr fs:[00000030h]		1_2_01A3D294
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A316E0 mov ecx, dword ptr fs:[00000030h]		1_2_01A316E0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A176E2 mov eax, dword ptr fs:[00000030h]		1_2_01A176E2
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32AE4 mov eax, dword ptr fs:[00000030h]		1_2_01A32AE4
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A48EC7 mov eax, dword ptr fs:[00000030h]		1_2_01A48EC7
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A32ACB mov eax, dword ptr fs:[00000030h]		1_2_01A32ACB
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ABFEC0 mov eax, dword ptr fs:[00000030h]		1_2_01ABFEC0
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A336CC mov eax, dword ptr fs:[00000030h]		1_2_01A336CC
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD8ED6 mov eax, dword ptr fs:[00000030h]		1_2_01AD8ED6
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0E620 mov eax, dword ptr fs:[00000030h]		1_2_01A0E620
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A44A2C mov eax, dword ptr fs:[00000030h]		1_2_01A44A2C
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A44A2C mov eax, dword ptr fs:[00000030h]		1_2_01A44A2C
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ABFE3F mov eax, dword ptr fs:[00000030h]		1_2_01ABFE3F
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0C600 mov eax, dword ptr fs:[00000030h]		1_2_01A0C600
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0C600 mov eax, dword ptr fs:[00000030h]		1_2_01A0C600
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0C600 mov eax, dword ptr fs:[00000030h]		1_2_01A0C600
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A38E00 mov eax, dword ptr fs:[00000030h]		1_2_01A38E00
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AC1608 mov eax, dword ptr fs:[00000030h]		1_2_01AC1608
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A18A0A mov eax, dword ptr fs:[00000030h]		1_2_01A18A0A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A05210 mov eax, dword ptr fs:[00000030h]		1_2_01A05210
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A05210 mov ecx, dword ptr fs:[00000030h]		1_2_01A05210
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A05210 mov eax, dword ptr fs:[00000030h]		1_2_01A05210
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A05210 mov eax, dword ptr fs:[00000030h]		1_2_01A05210
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0AA16 mov eax, dword ptr fs:[00000030h]		1_2_01A0AA16
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A0AA16 mov eax, dword ptr fs:[00000030h]		1_2_01A0AA16
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A23A1C mov eax, dword ptr fs:[00000030h]		1_2_01A23A1C
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3A61C mov eax, dword ptr fs:[00000030h]		1_2_01A3A61C
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A3A61C mov eax, dword ptr fs:[00000030h]		1_2_01A3A61C
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ABB260 mov eax, dword ptr fs:[00000030h]		1_2_01ABB260
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ABB260 mov eax, dword ptr fs:[00000030h]		1_2_01ABB260
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A1766D mov eax, dword ptr fs:[00000030h]		1_2_01A1766D
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01AD8A62 mov eax, dword ptr fs:[00000030h]		1_2_01AD8A62
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2AE73 mov eax, dword ptr fs:[00000030h]		1_2_01A2AE73
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2AE73 mov eax, dword ptr fs:[00000030h]		1_2_01A2AE73
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2AE73 mov eax, dword ptr fs:[00000030h]		1_2_01A2AE73
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2AE73 mov eax, dword ptr fs:[00000030h]		1_2_01A2AE73
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A2AE73 mov eax, dword ptr fs:[00000030h]		1_2_01A2AE73
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A4927A mov eax, dword ptr fs:[00000030h]		1_2_01A4927A
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09240 mov eax, dword ptr fs:[00000030h]		1_2_01A09240
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09240 mov eax, dword ptr fs:[00000030h]		1_2_01A09240
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09240 mov eax, dword ptr fs:[00000030h]		1_2_01A09240
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A09240 mov eax, dword ptr fs:[00000030h]		1_2_01A09240
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A17E41 mov eax, dword ptr fs:[00000030h]		1_2_01A17E41
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A17E41 mov eax, dword ptr fs:[00000030h]		1_2_01A17E41
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A17E41 mov eax, dword ptr fs:[00000030h]		1_2_01A17E41
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A17E41 mov eax, dword ptr fs:[00000030h]		1_2_01A17E41
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A17E41 mov eax, dword ptr fs:[00000030h]		1_2_01A17E41
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A17E41 mov eax, dword ptr fs:[00000030h]		1_2_01A17E41
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACAE44 mov eax, dword ptr fs:[00000030h]		1_2_01ACAE44
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACAE44 mov eax, dword ptr fs:[00000030h]		1_2_01ACAE44
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01ACEA55 mov eax, dword ptr fs:[00000030h]		1_2_01ACEA55
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Code function: 1_2_01A94257 mov eax, dword ptr fs:[00000030h]		1_2_01A94257
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498849B mov eax, dword ptr fs:[00000030h]		5_2_0498849B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A34496 mov eax, dword ptr fs:[00000030h]		5_2_04A34496
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A314FB mov eax, dword ptr fs:[00000030h]		5_2_04A314FB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6CF0 mov eax, dword ptr fs:[00000030h]		5_2_049F6CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6CF0 mov eax, dword ptr fs:[00000030h]		5_2_049F6CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6CF0 mov eax, dword ptr fs:[00000030h]		5_2_049F6CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A48CD6 mov eax, dword ptr fs:[00000030h]		5_2_04A48CD6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6C0A mov eax, dword ptr fs:[00000030h]		5_2_049F6C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6C0A mov eax, dword ptr fs:[00000030h]		5_2_049F6C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6C0A mov eax, dword ptr fs:[00000030h]		5_2_049F6C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6C0A mov eax, dword ptr fs:[00000030h]		5_2_049F6C0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31C06 mov eax, dword ptr fs:[00000030h]		5_2_04A31C06
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4740D mov eax, dword ptr fs:[00000030h]		5_2_04A4740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4740D mov eax, dword ptr fs:[00000030h]		5_2_04A4740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4740D mov eax, dword ptr fs:[00000030h]		5_2_04A4740D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049ABC2C mov eax, dword ptr fs:[00000030h]		5_2_049ABC2C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AA44B mov eax, dword ptr fs:[00000030h]		5_2_049AA44B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AAC7B mov eax, dword ptr fs:[00000030h]		5_2_049AAC7B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0C450 mov eax, dword ptr fs:[00000030h]		5_2_04A0C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0C450 mov eax, dword ptr fs:[00000030h]		5_2_04A0C450
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499746D mov eax, dword ptr fs:[00000030h]		5_2_0499746D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AFD9B mov eax, dword ptr fs:[00000030h]		5_2_049AFD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AFD9B mov eax, dword ptr fs:[00000030h]		5_2_049AFD9B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A405AC mov eax, dword ptr fs:[00000030h]		5_2_04A405AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A405AC mov eax, dword ptr fs:[00000030h]		5_2_04A405AC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A2581 mov eax, dword ptr fs:[00000030h]		5_2_049A2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A2581 mov eax, dword ptr fs:[00000030h]		5_2_049A2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A2581 mov eax, dword ptr fs:[00000030h]		5_2_049A2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A2581 mov eax, dword ptr fs:[00000030h]		5_2_049A2581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04972D8A mov eax, dword ptr fs:[00000030h]		5_2_04972D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04972D8A mov eax, dword ptr fs:[00000030h]		5_2_04972D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04972D8A mov eax, dword ptr fs:[00000030h]		5_2_04972D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04972D8A mov eax, dword ptr fs:[00000030h]		5_2_04972D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04972D8A mov eax, dword ptr fs:[00000030h]		5_2_04972D8A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A1DB5 mov eax, dword ptr fs:[00000030h]		5_2_049A1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A1DB5 mov eax, dword ptr fs:[00000030h]		5_2_049A1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A1DB5 mov eax, dword ptr fs:[00000030h]		5_2_049A1DB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A35A1 mov eax, dword ptr fs:[00000030h]		5_2_049A35A1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3FDE2 mov eax, dword ptr fs:[00000030h]		5_2_04A3FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3FDE2 mov eax, dword ptr fs:[00000030h]		5_2_04A3FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3FDE2 mov eax, dword ptr fs:[00000030h]		5_2_04A3FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3FDE2 mov eax, dword ptr fs:[00000030h]		5_2_04A3FDE2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A28DF1 mov eax, dword ptr fs:[00000030h]		5_2_04A28DF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6DC9 mov eax, dword ptr fs:[00000030h]		5_2_049F6DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6DC9 mov eax, dword ptr fs:[00000030h]		5_2_049F6DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6DC9 mov eax, dword ptr fs:[00000030h]		5_2_049F6DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6DC9 mov ecx, dword ptr fs:[00000030h]		5_2_049F6DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6DC9 mov eax, dword ptr fs:[00000030h]		5_2_049F6DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F6DC9 mov eax, dword ptr fs:[00000030h]		5_2_049F6DC9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498D5E0 mov eax, dword ptr fs:[00000030h]		5_2_0498D5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498D5E0 mov eax, dword ptr fs:[00000030h]		5_2_0498D5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A48D34 mov eax, dword ptr fs:[00000030h]		5_2_04A48D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3E539 mov eax, dword ptr fs:[00000030h]		5_2_04A3E539
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A4D3B mov eax, dword ptr fs:[00000030h]		5_2_049A4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A4D3B mov eax, dword ptr fs:[00000030h]		5_2_049A4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A4D3B mov eax, dword ptr fs:[00000030h]		5_2_049A4D3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0497AD30 mov eax, dword ptr fs:[00000030h]		5_2_0497AD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049FA537 mov eax, dword ptr fs:[00000030h]		5_2_049FA537
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04983D34 mov eax, dword ptr fs:[00000030h]		5_2_04983D34
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04997D50 mov eax, dword ptr fs:[00000030h]		5_2_04997D50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B3D43 mov eax, dword ptr fs:[00000030h]		5_2_049B3D43
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F3540 mov eax, dword ptr fs:[00000030h]		5_2_049F3540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A23D40 mov eax, dword ptr fs:[00000030h]		5_2_04A23D40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499C577 mov eax, dword ptr fs:[00000030h]		5_2_0499C577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499C577 mov eax, dword ptr fs:[00000030h]		5_2_0499C577
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A40EA5 mov eax, dword ptr fs:[00000030h]		5_2_04A40EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A40EA5 mov eax, dword ptr fs:[00000030h]		5_2_04A40EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A40EA5 mov eax, dword ptr fs:[00000030h]		5_2_04A40EA5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0FE87 mov eax, dword ptr fs:[00000030h]		5_2_04A0FE87
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F46A7 mov eax, dword ptr fs:[00000030h]		5_2_049F46A7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A36CC mov eax, dword ptr fs:[00000030h]		5_2_049A36CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B8EC7 mov eax, dword ptr fs:[00000030h]		5_2_049B8EC7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A2FEC0 mov eax, dword ptr fs:[00000030h]		5_2_04A2FEC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A48ED6 mov eax, dword ptr fs:[00000030h]		5_2_04A48ED6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A16E0 mov ecx, dword ptr fs:[00000030h]		5_2_049A16E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049876E2 mov eax, dword ptr fs:[00000030h]		5_2_049876E2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AA61C mov eax, dword ptr fs:[00000030h]		5_2_049AA61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AA61C mov eax, dword ptr fs:[00000030h]		5_2_049AA61C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0497C600 mov eax, dword ptr fs:[00000030h]		5_2_0497C600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0497C600 mov eax, dword ptr fs:[00000030h]		5_2_0497C600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0497C600 mov eax, dword ptr fs:[00000030h]		5_2_0497C600
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A8E00 mov eax, dword ptr fs:[00000030h]		5_2_049A8E00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A2FE3F mov eax, dword ptr fs:[00000030h]		5_2_04A2FE3F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A31608 mov eax, dword ptr fs:[00000030h]		5_2_04A31608
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0497E620 mov eax, dword ptr fs:[00000030h]		5_2_0497E620
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04987E41 mov eax, dword ptr fs:[00000030h]		5_2_04987E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04987E41 mov eax, dword ptr fs:[00000030h]		5_2_04987E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04987E41 mov eax, dword ptr fs:[00000030h]		5_2_04987E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04987E41 mov eax, dword ptr fs:[00000030h]		5_2_04987E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04987E41 mov eax, dword ptr fs:[00000030h]		5_2_04987E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04987E41 mov eax, dword ptr fs:[00000030h]		5_2_04987E41
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3AE44 mov eax, dword ptr fs:[00000030h]		5_2_04A3AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A3AE44 mov eax, dword ptr fs:[00000030h]		5_2_04A3AE44
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499AE73 mov eax, dword ptr fs:[00000030h]		5_2_0499AE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499AE73 mov eax, dword ptr fs:[00000030h]		5_2_0499AE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499AE73 mov eax, dword ptr fs:[00000030h]		5_2_0499AE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499AE73 mov eax, dword ptr fs:[00000030h]		5_2_0499AE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499AE73 mov eax, dword ptr fs:[00000030h]		5_2_0499AE73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498766D mov eax, dword ptr fs:[00000030h]		5_2_0498766D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F7794 mov eax, dword ptr fs:[00000030h]		5_2_049F7794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F7794 mov eax, dword ptr fs:[00000030h]		5_2_049F7794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F7794 mov eax, dword ptr fs:[00000030h]		5_2_049F7794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04988794 mov eax, dword ptr fs:[00000030h]		5_2_04988794
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B37F5 mov eax, dword ptr fs:[00000030h]		5_2_049B37F5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499F716 mov eax, dword ptr fs:[00000030h]		5_2_0499F716
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AA70E mov eax, dword ptr fs:[00000030h]		5_2_049AA70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AA70E mov eax, dword ptr fs:[00000030h]		5_2_049AA70E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499B73D mov eax, dword ptr fs:[00000030h]		5_2_0499B73D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499B73D mov eax, dword ptr fs:[00000030h]		5_2_0499B73D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4070D mov eax, dword ptr fs:[00000030h]		5_2_04A4070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A4070D mov eax, dword ptr fs:[00000030h]		5_2_04A4070D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AE730 mov eax, dword ptr fs:[00000030h]		5_2_049AE730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0FF10 mov eax, dword ptr fs:[00000030h]		5_2_04A0FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0FF10 mov eax, dword ptr fs:[00000030h]		5_2_04A0FF10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04974F2E mov eax, dword ptr fs:[00000030h]		5_2_04974F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04974F2E mov eax, dword ptr fs:[00000030h]		5_2_04974F2E
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A48F6A mov eax, dword ptr fs:[00000030h]		5_2_04A48F6A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498EF40 mov eax, dword ptr fs:[00000030h]		5_2_0498EF40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498FF60 mov eax, dword ptr fs:[00000030h]		5_2_0498FF60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04979080 mov eax, dword ptr fs:[00000030h]		5_2_04979080
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F3884 mov eax, dword ptr fs:[00000030h]		5_2_049F3884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F3884 mov eax, dword ptr fs:[00000030h]		5_2_049F3884
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AF0BF mov ecx, dword ptr fs:[00000030h]		5_2_049AF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AF0BF mov eax, dword ptr fs:[00000030h]		5_2_049AF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AF0BF mov eax, dword ptr fs:[00000030h]		5_2_049AF0BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049B90AF mov eax, dword ptr fs:[00000030h]		5_2_049B90AF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0 mov eax, dword ptr fs:[00000030h]		5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0 mov eax, dword ptr fs:[00000030h]		5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0 mov eax, dword ptr fs:[00000030h]		5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0 mov eax, dword ptr fs:[00000030h]		5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0 mov eax, dword ptr fs:[00000030h]		5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A20A0 mov eax, dword ptr fs:[00000030h]		5_2_049A20A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0B8D0 mov eax, dword ptr fs:[00000030h]		5_2_04A0B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0B8D0 mov ecx, dword ptr fs:[00000030h]		5_2_04A0B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0B8D0 mov eax, dword ptr fs:[00000030h]		5_2_04A0B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0B8D0 mov eax, dword ptr fs:[00000030h]		5_2_04A0B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0B8D0 mov eax, dword ptr fs:[00000030h]		5_2_04A0B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A0B8D0 mov eax, dword ptr fs:[00000030h]		5_2_04A0B8D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049740E1 mov eax, dword ptr fs:[00000030h]		5_2_049740E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049740E1 mov eax, dword ptr fs:[00000030h]		5_2_049740E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049740E1 mov eax, dword ptr fs:[00000030h]		5_2_049740E1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049758EC mov eax, dword ptr fs:[00000030h]		5_2_049758EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499B8E4 mov eax, dword ptr fs:[00000030h]		5_2_0499B8E4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499B8E4 mov eax, dword ptr fs:[00000030h]		5_2_0499B8E4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F7016 mov eax, dword ptr fs:[00000030h]		5_2_049F7016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F7016 mov eax, dword ptr fs:[00000030h]		5_2_049F7016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F7016 mov eax, dword ptr fs:[00000030h]		5_2_049F7016
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A830 mov eax, dword ptr fs:[00000030h]		5_2_0499A830
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A830 mov eax, dword ptr fs:[00000030h]		5_2_0499A830
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A830 mov eax, dword ptr fs:[00000030h]		5_2_0499A830
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499A830 mov eax, dword ptr fs:[00000030h]		5_2_0499A830
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A44015 mov eax, dword ptr fs:[00000030h]		5_2_04A44015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A44015 mov eax, dword ptr fs:[00000030h]		5_2_04A44015
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498B02A mov eax, dword ptr fs:[00000030h]		5_2_0498B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498B02A mov eax, dword ptr fs:[00000030h]		5_2_0498B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498B02A mov eax, dword ptr fs:[00000030h]		5_2_0498B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0498B02A mov eax, dword ptr fs:[00000030h]		5_2_0498B02A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A002D mov eax, dword ptr fs:[00000030h]		5_2_049A002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A002D mov eax, dword ptr fs:[00000030h]		5_2_049A002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A002D mov eax, dword ptr fs:[00000030h]		5_2_049A002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A002D mov eax, dword ptr fs:[00000030h]		5_2_049A002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A002D mov eax, dword ptr fs:[00000030h]		5_2_049A002D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04990050 mov eax, dword ptr fs:[00000030h]		5_2_04990050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04990050 mov eax, dword ptr fs:[00000030h]		5_2_04990050
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A32073 mov eax, dword ptr fs:[00000030h]		5_2_04A32073
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A41074 mov eax, dword ptr fs:[00000030h]		5_2_04A41074
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A349A4 mov eax, dword ptr fs:[00000030h]		5_2_04A349A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A349A4 mov eax, dword ptr fs:[00000030h]		5_2_04A349A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A349A4 mov eax, dword ptr fs:[00000030h]		5_2_04A349A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_04A349A4 mov eax, dword ptr fs:[00000030h]		5_2_04A349A4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049A2990 mov eax, dword ptr fs:[00000030h]		5_2_049A2990
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_0499C182 mov eax, dword ptr fs:[00000030h]		5_2_0499C182
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049AA185 mov eax, dword ptr fs:[00000030h]		5_2_049AA185
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F51BE mov eax, dword ptr fs:[00000030h]		5_2_049F51BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F51BE mov eax, dword ptr fs:[00000030h]		5_2_049F51BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F51BE mov eax, dword ptr fs:[00000030h]		5_2_049F51BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049F51BE mov eax, dword ptr fs:[00000030h]		5_2_049F51BE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov eax, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov eax, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov eax, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov ecx, dword ptr fs:[00000030h]		5_2_049999BF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 5_2_049999BF mov eax, dword ptr fs:[00000030h]		5_2_049999BF

Enables debug privileges

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Process token adjusted: Debug

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 46.23.69.44 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.227.138.21 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 108.62.73.206 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.88.52.102 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 18.189.205.91 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 121.36.78.101 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 150.109.148.157 80			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Memory written: C:\Users\user\Desktop\transferir copia_98087.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 290000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Process created: C:\Users\user\Desktop\transferir copia_98087.exe C:\Users\user\Desktop\transferir copia_98087.exe			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\transferir copia_98087.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000002.00000000.229505034.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000002.00000000.230730452.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.483033989.0000000002FA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.230730452.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.483033989.0000000002FA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.230730452.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.483033989.0000000002FA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.230730452.0000000001980000.00000002.00000001.sdmp, msdt.exe, 00000005.00000002.483033989.0000000002FA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Users\user\Desktop\transferir copia_98087.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\transferir copia_98087.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\transferir copia_98087.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE