Analysis Report PO.exe

Overview

General Information

Sample Name: PO.exe
Analysis ID: 383905
MD5: 665cb19601850467af3ee7d9fd0e0350
SHA1: 8ac40ef9fa5100a39b14258d8d8e562cefd7202c
SHA256: f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.c-voyageinc.com/r4ei/"], "decoy": ["8clintonstreet.com", "sherylhotpepperblends.com", "eucham.asia", "earnestqueen.com", "vstexchange.com", "theoutofbounds.com", "allincursive.com", "getgenevieved.com", "commonlawpeoplesassembly.net", "brideclubstorerastreamento.com", "cngelectricaldesign.com", "mizmaleather.com", "nicolabenge.com", "babyboxbuy.com", "xaydungquan9.com", "hclifechurch.com", "cwyxonlp.icu", "inocentkidd.com", "worldhw.com", "soul.exchange", "garshbedmi.info", "hayratindonesia.com", "optimummedical-uk.com", "jagocopywriter.com", "loandong.com", "tnacharters.com", "rdj-cpa.com", "nklwmb.com", "baykusbaskimerkezi.xyz", "websiteworlda-z.com", "gulumsekoop.xyz", "artforthebayarea.com", "hkafrfudl.icu", "thekhufureign.com", "stanfordcodingtutor.com", "puoynios.website", "saearners.info", "epipdfhany.com", "cowboycooloutfitters.net", "therealrefinery.com", "royal-english-academy.com", "dante.report", "montonvuraeditted.space", "webuytampabayhouses.com", "phorice.com", "juxrams.info", "francisboyrd.com", "edifice-base.com", "shjzly.com", "frisdrank.deals", "cannajointn.com", "dianshi.ink", "droneserviceshouston.com", "swaymontoya.com", "omvvv.com", "yourherogarden.net", "areenaarora.com", "complex-kokukenzyo.com", "minyakgelici.com", "municipiodeanton.net", "opimexico.com", "xgame.online", "squrl.network", "bayleafdenver.info"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll ReversingLabs: Detection: 10%
Multi AV Scanner detection for submitted file
Source: PO.exe ReversingLabs: Detection: 16%
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 10.2.explorer.exe.51af834.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.PO.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.PO.exe.2670000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.PO.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: PO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: explorer.pdbUGP source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.234541643.000000001EFF0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.293490936.0000000000B2F000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: PO.exe, explorer.exe
Source: Binary string: C:\xampp\htdocs\Cryptor\1a839a6cf4cc488e888465f9ce8aa846\Loader\Loader\Release\d18g7xa93.pdb source: PO.exe, 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp, 5t94xwjj.dll.0.dr
Source: Binary string: explorer.pdb source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO.exe Code function: 4x nop then pop ebx 1_2_00407AFA
Source: C:\Users\user\Desktop\PO.exe Code function: 4x nop then pop edi 1_2_00416CA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4x nop then pop ebx 10_2_00897AFB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4x nop then pop edi 10_2_008A6CA5

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.c-voyageinc.com/r4ei/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.227.76.166 44.227.76.166
Source: C:\Windows\explorer.exe Code function: 3_2_06D537A2 getaddrinfo,setsockopt,recv, 3_2_06D537A2
Source: global traffic HTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.cwyxonlp.icu
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:10:12 GMTServer: ApacheContent-Length: 269Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 65 62 73 69 74 65 77 6f 72 6c 64 61 2d 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.websiteworlda-z.com Port 80</address></body></html>
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000A.00000002.504257510.000000000569F000.00000004.00000001.sdmp String found in binary or memory: http://phorice.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EA0

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041A060 NtClose, 1_2_0041A060
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041A110 NtAllocateVirtualMemory, 1_2_0041A110
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00419F30 NtCreateFile, 1_2_00419F30
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00419FE0 NtReadFile, 1_2_00419FE0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00419F2B NtCreateFile, 1_2_00419F2B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00419FDA NtReadFile, 1_2_00419FDA
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00419F82 NtReadFile, 1_2_00419F82
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A798F0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A79860
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk, 1_2_00A79840
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk, 1_2_00A799A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A79910
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk, 1_2_00A79A20
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A79A00
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk, 1_2_00A79A50
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A795D0 NtClose,LdrInitializeThunk, 1_2_00A795D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79540 NtReadFile,LdrInitializeThunk, 1_2_00A79540
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A796E0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A79660
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A797A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A79780
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A79710
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A798A0 NtWriteVirtualMemory, 1_2_00A798A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79820 NtEnumerateKey, 1_2_00A79820
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A7B040 NtSuspendThread, 1_2_00A7B040
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A799D0 NtCreateProcessEx, 1_2_00A799D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79950 NtQueueApcThread, 1_2_00A79950
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79A80 NtOpenDirectoryObject, 1_2_00A79A80
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79A10 NtQuerySection, 1_2_00A79A10
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A7A3B0 NtGetContextThread, 1_2_00A7A3B0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79B00 NtSetValueKey, 1_2_00A79B00
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A795F0 NtQueryInformationFile, 1_2_00A795F0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79520 NtWaitForSingleObject, 1_2_00A79520
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A7AD30 NtSetContextThread, 1_2_00A7AD30
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79560 NtWriteFile, 1_2_00A79560
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A796D0 NtCreateKey, 1_2_00A796D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79610 NtEnumerateValueKey, 1_2_00A79610
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79670 NtQueryInformationProcess, 1_2_00A79670
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79650 NtQueryValueKey, 1_2_00A79650
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A79FE0 NtCreateMutant, 1_2_00A79FE0
Source: C:\Windows\explorer.exe Code function: 3_2_06D52A52 NtCreateFile, 3_2_06D52A52
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9840 NtDelayExecution,LdrInitializeThunk, 10_2_04CE9840
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk, 10_2_04CE9860
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE95D0 NtClose,LdrInitializeThunk, 10_2_04CE95D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE99A0 NtCreateSection,LdrInitializeThunk, 10_2_04CE99A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9540 NtReadFile,LdrInitializeThunk, 10_2_04CE9540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_04CE9910
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE96D0 NtCreateKey,LdrInitializeThunk, 10_2_04CE96D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_04CE96E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9650 NtQueryValueKey,LdrInitializeThunk, 10_2_04CE9650
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9A50 NtCreateFile,LdrInitializeThunk, 10_2_04CE9A50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_04CE9660
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk, 10_2_04CE9FE0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk, 10_2_04CE9780
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk, 10_2_04CE9710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE98F0 NtReadVirtualMemory, 10_2_04CE98F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE98A0 NtWriteVirtualMemory, 10_2_04CE98A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CEB040 NtSuspendThread, 10_2_04CEB040
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9820 NtEnumerateKey, 10_2_04CE9820
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE99D0 NtCreateProcessEx, 10_2_04CE99D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE95F0 NtQueryInformationFile, 10_2_04CE95F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9950 NtQueueApcThread, 10_2_04CE9950
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9560 NtWriteFile, 10_2_04CE9560
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9520 NtWaitForSingleObject, 10_2_04CE9520
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CEAD30 NtSetContextThread, 10_2_04CEAD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9A80 NtOpenDirectoryObject, 10_2_04CE9A80
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9670 NtQueryInformationProcess, 10_2_04CE9670
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9A00 NtProtectVirtualMemory, 10_2_04CE9A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9610 NtEnumerateValueKey, 10_2_04CE9610
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9A10 NtQuerySection, 10_2_04CE9A10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9A20 NtResumeThread, 10_2_04CE9A20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE97A0 NtUnmapViewOfSection, 10_2_04CE97A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CEA3B0 NtGetContextThread, 10_2_04CEA3B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9760 NtOpenProcess, 10_2_04CE9760
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9770 NtSetInformationFile, 10_2_04CE9770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CEA770 NtOpenThread, 10_2_04CEA770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9B00 NtSetValueKey, 10_2_04CE9B00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CEA710 NtOpenProcessToken, 10_2_04CEA710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE9730 NtQueryVirtualMemory, 10_2_04CE9730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AA060 NtClose, 10_2_008AA060
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AA110 NtAllocateVirtualMemory, 10_2_008AA110
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A9FE0 NtReadFile, 10_2_008A9FE0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A9F30 NtCreateFile, 10_2_008A9F30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A9F82 NtReadFile, 10_2_008A9F82
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A9FDA NtReadFile, 10_2_008A9FDA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A9F2B NtCreateFile, 10_2_008A9F2B
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040314A
Detected potential crypto function
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_004046A7 0_2_004046A7
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041E1EC 1_2_0041E1EC
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041E1F8 1_2_0041E1F8
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041EADA 1_2_0041EADA
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00409E40 1_2_00409E40
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00409E3D 1_2_00409E3D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041D680 1_2_0041D680
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A620A0 1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B020A8 1_2_00B020A8
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4B090 1_2_00A4B090
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B028EC 1_2_00B028EC
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B0E824 1_2_00B0E824
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1002 1_2_00AF1002
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A54120 1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3F900 1_2_00A3F900
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B022AE 1_2_00B022AE
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6EBB0 1_2_00A6EBB0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF03DA 1_2_00AF03DA
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFDBD2 1_2_00AFDBD2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B02B28 1_2_00B02B28
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4841F 1_2_00A4841F
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFD466 1_2_00AFD466
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62581 1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4D5E0 1_2_00A4D5E0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B025DD 1_2_00B025DD
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A30D20 1_2_00A30D20
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B02D07 1_2_00B02D07
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B01D55 1_2_00B01D55
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B02EF7 1_2_00B02EF7
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A56E30 1_2_00A56E30
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFD616 1_2_00AFD616
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B01FF1 1_2_00B01FF1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B0DFCE 1_2_00B0DFCE
Source: C:\Windows\explorer.exe Code function: 3_2_06D52A52 3_2_06D52A52
Source: C:\Windows\explorer.exe Code function: 3_2_06D4ACF2 3_2_06D4ACF2
Source: C:\Windows\explorer.exe Code function: 3_2_06D4ACE9 3_2_06D4ACE9
Source: C:\Windows\explorer.exe Code function: 3_2_06D51882 3_2_06D51882
Source: C:\Windows\explorer.exe Code function: 3_2_06D49072 3_2_06D49072
Source: C:\Windows\explorer.exe Code function: 3_2_06D49069 3_2_06D49069
Source: C:\Windows\explorer.exe Code function: 3_2_06D55A0C 3_2_06D55A0C
Source: C:\Windows\explorer.exe Code function: 3_2_06D50152 3_2_06D50152
Source: C:\Windows\explorer.exe Code function: 3_2_06D4DB1F 3_2_06D4DB1F
Source: C:\Windows\explorer.exe Code function: 3_2_06D4DB22 3_2_06D4DB22
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBB090 10_2_04CBB090
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD20A0 10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D720A8 10_2_04D720A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61002 10_2_04D61002
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB841F 10_2_04CB841F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBD5E0 10_2_04CBD5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2581 10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D71D55 10_2_04D71D55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAF900 10_2_04CAF900
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D72D07 10_2_04D72D07
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA0D20 10_2_04CA0D20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC4120 10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D72EF7 10_2_04D72EF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D722AE 10_2_04D722AE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC6E30 10_2_04CC6E30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D71FF1 10_2_04D71FF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDEBB0 10_2_04CDEBB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D72B28 10_2_04D72B28
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AE1EC 10_2_008AE1EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AE1F8 10_2_008AE1F8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AEADA 10_2_008AEADA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00892D90 10_2_00892D90
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00899E3D 10_2_00899E3D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00899E40 10_2_00899E40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00892FB0 10_2_00892FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 04CAB150 appears 35 times
Source: C:\Users\user\Desktop\PO.exe Code function: String function: 00A3B150 appears 45 times
Sample file is different than original file name gathered from version info
Source: PO.exe, 00000000.00000003.234946045.000000001EF76000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
Source: PO.exe, 00000001.00000003.242100037.000000000098F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
Source: PO.exe, 00000001.00000002.294578840.0000000002BFE000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs PO.exe
Uses 32bit PE files
Source: PO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@3/2
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041E5
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar, 0_2_004020A6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4492:120:WilError_01
Source: C:\Users\user\Desktop\PO.exe File created: C:\Users\user\AppData\Local\Temp\nsoBF0C.tmp Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: PO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO.exe ReversingLabs: Detection: 16%
Source: C:\Users\user\Desktop\PO.exe File read: C:\Users\user\Desktop\PO.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: explorer.pdbUGP source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.234541643.000000001EFF0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.293490936.0000000000B2F000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: PO.exe, explorer.exe
Source: Binary string: C:\xampp\htdocs\Cryptor\1a839a6cf4cc488e888465f9ce8aa846\Loader\Loader\Release\d18g7xa93.pdb source: PO.exe, 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp, 5t94xwjj.dll.0.dr
Source: Binary string: explorer.pdb source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PO.exe Unpacked PE file: 1.2.PO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041B828 push cs; ret 1_2_0041B82D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041D0D2 push eax; ret 1_2_0041D0D8
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041D0DB push eax; ret 1_2_0041D142
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041D085 push eax; ret 1_2_0041D0D8
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041D13C push eax; ret 1_2_0041D142
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00418292 pushad ; retf 1_2_00418296
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00417C74 push ds; iretd 1_2_00417C94
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0041E638 pushad ; ret 1_2_0041E63A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00416740 push FFFFFF87h; retf 1_2_00416774
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A8D0D1 push ecx; ret 1_2_00A8D0E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CFD0D1 push ecx; ret 10_2_04CFD0E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AD085 push eax; ret 10_2_008AD0D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AD0DB push eax; ret 10_2_008AD142
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AD0D2 push eax; ret 10_2_008AD0D8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AB828 push cs; ret 10_2_008AB82D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AD13C push eax; ret 10_2_008AD142
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A8292 pushad ; retf 10_2_008A8296
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A7C74 push ds; iretd 10_2_008A7C94
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008AE638 pushad ; ret 10_2_008AE63A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_008A6740 push FFFFFF87h; retf 10_2_008A6774

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO.exe File created: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEB
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PO.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 00000000008998E4 second address: 00000000008998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 0000000000899B5E second address: 0000000000899B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PO.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1260 Thread sleep time: -58000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6136 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC
Source: explorer.exe, 00000003.00000000.259578137.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000002.503553523.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000002.503675832.0000000003755000.00000004.00000001.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000002.503705754.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000002.503675832.0000000003755000.00000004.00000001.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.245750611.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000003.00000000.259630754.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.255125796.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.259630754.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_0040ACD0 LdrLoadDll, 1_2_0040ACD0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_73351000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile, 0_2_73351000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_0250165A mov eax, dword ptr fs:[00000030h] 0_2_0250165A
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_02501872 mov eax, dword ptr fs:[00000030h] 0_2_02501872
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h] 1_2_00A790AF
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h] 1_2_00A6F0BF
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A6F0BF
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A6F0BF
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h] 1_2_00A39080
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h] 1_2_00AB3884
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h] 1_2_00AB3884
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] 1_2_00A340E1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] 1_2_00A340E1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] 1_2_00A340E1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h] 1_2_00A358EC
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h] 1_2_00B04015
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h] 1_2_00B04015
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] 1_2_00AB7016
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] 1_2_00AB7016
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] 1_2_00AB7016
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h] 1_2_00B01074
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h] 1_2_00AF2073
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h] 1_2_00A50050
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h] 1_2_00A50050
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h] 1_2_00A661A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h] 1_2_00A661A0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h] 1_2_00AB69A6
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h] 1_2_00A6A185
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h] 1_2_00A5C182
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h] 1_2_00A62990
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A3B1E1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A3B1E1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A3B1E1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AC41E8 mov eax, dword ptr fs:[00000030h] 1_2_00AC41E8
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h] 1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h] 1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h] 1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h] 1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A54120 mov ecx, dword ptr fs:[00000030h] 1_2_00A54120
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h] 1_2_00A6513A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h] 1_2_00A6513A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h] 1_2_00A39100
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h] 1_2_00A39100
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h] 1_2_00A39100
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3C962 mov eax, dword ptr fs:[00000030h] 1_2_00A3C962
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h] 1_2_00A3B171
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h] 1_2_00A3B171
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h] 1_2_00A5B944
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h] 1_2_00A5B944
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h] 1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h] 1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h] 1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h] 1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h] 1_2_00A352A5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A4AAB0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A4AAB0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6FAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A6FAB0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h] 1_2_00A6D294
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h] 1_2_00A6D294
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62AE4 mov eax, dword ptr fs:[00000030h] 1_2_00A62AE4
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62ACB mov eax, dword ptr fs:[00000030h] 1_2_00A62ACB
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h] 1_2_00A74A2C
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h] 1_2_00A74A2C
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A48A0A mov eax, dword ptr fs:[00000030h] 1_2_00A48A0A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h] 1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A35210 mov ecx, dword ptr fs:[00000030h] 1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h] 1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h] 1_2_00A35210
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A3AA16
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A3AA16
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A53A1C mov eax, dword ptr fs:[00000030h] 1_2_00A53A1C
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h] 1_2_00AFAA16
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h] 1_2_00AFAA16
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h] 1_2_00AEB260
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h] 1_2_00AEB260
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B08A62 mov eax, dword ptr fs:[00000030h] 1_2_00B08A62
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A7927A mov eax, dword ptr fs:[00000030h] 1_2_00A7927A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h] 1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h] 1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h] 1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h] 1_2_00A39240
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFEA55 mov eax, dword ptr fs:[00000030h] 1_2_00AFEA55
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AC4257 mov eax, dword ptr fs:[00000030h] 1_2_00AC4257
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h] 1_2_00A64BAD
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h] 1_2_00A64BAD
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h] 1_2_00A64BAD
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B05BA5 mov eax, dword ptr fs:[00000030h] 1_2_00B05BA5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF138A mov eax, dword ptr fs:[00000030h] 1_2_00AF138A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h] 1_2_00A41B8F
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h] 1_2_00A41B8F
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AED380 mov ecx, dword ptr fs:[00000030h] 1_2_00AED380
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62397 mov eax, dword ptr fs:[00000030h] 1_2_00A62397
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6B390 mov eax, dword ptr fs:[00000030h] 1_2_00A6B390
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h] 1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h] 1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h] 1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h] 1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h] 1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h] 1_2_00A603E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5DBE9 mov eax, dword ptr fs:[00000030h] 1_2_00A5DBE9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h] 1_2_00AB53CA
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h] 1_2_00AB53CA
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF131B mov eax, dword ptr fs:[00000030h] 1_2_00AF131B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00A3DB60
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h] 1_2_00A63B7A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h] 1_2_00A63B7A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3DB40 mov eax, dword ptr fs:[00000030h] 1_2_00A3DB40
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B08B58 mov eax, dword ptr fs:[00000030h] 1_2_00B08B58
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3F358 mov eax, dword ptr fs:[00000030h] 1_2_00A3F358
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4849B mov eax, dword ptr fs:[00000030h] 1_2_00A4849B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF14FB mov eax, dword ptr fs:[00000030h] 1_2_00AF14FB
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h] 1_2_00AB6CF0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h] 1_2_00AB6CF0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h] 1_2_00AB6CF0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B08CD6 mov eax, dword ptr fs:[00000030h] 1_2_00B08CD6
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6BC2C mov eax, dword ptr fs:[00000030h] 1_2_00A6BC2C
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h] 1_2_00AB6C0A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AF1C06
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h] 1_2_00B0740D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h] 1_2_00B0740D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h] 1_2_00B0740D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5746D mov eax, dword ptr fs:[00000030h] 1_2_00A5746D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6A44B mov eax, dword ptr fs:[00000030h] 1_2_00A6A44B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h] 1_2_00ACC450
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h] 1_2_00ACC450
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A635A1 mov eax, dword ptr fs:[00000030h] 1_2_00A635A1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A61DB5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A61DB5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A61DB5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h] 1_2_00B005AC
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h] 1_2_00B005AC
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h] 1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h] 1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h] 1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h] 1_2_00A62581
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h] 1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h] 1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h] 1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h] 1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h] 1_2_00A32D8A
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A6FD9B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A6FD9B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A4D5E0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A4D5E0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00AFFDE2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AE8DF1 mov eax, dword ptr fs:[00000030h] 1_2_00AE8DF1
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h] 1_2_00AB6DC9
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B08D34 mov eax, dword ptr fs:[00000030h] 1_2_00B08D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h] 1_2_00A43D34
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3AD30 mov eax, dword ptr fs:[00000030h] 1_2_00A3AD30
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFE539 mov eax, dword ptr fs:[00000030h] 1_2_00AFE539
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ABA537 mov eax, dword ptr fs:[00000030h] 1_2_00ABA537
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h] 1_2_00A64D3B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h] 1_2_00A64D3B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h] 1_2_00A64D3B
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h] 1_2_00A5C577
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h] 1_2_00A5C577
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A73D43 mov eax, dword ptr fs:[00000030h] 1_2_00A73D43
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB3540 mov eax, dword ptr fs:[00000030h] 1_2_00AB3540
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AE3D40 mov eax, dword ptr fs:[00000030h] 1_2_00AE3D40
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A57D50 mov eax, dword ptr fs:[00000030h] 1_2_00A57D50
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB46A7 mov eax, dword ptr fs:[00000030h] 1_2_00AB46A7
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B00EA5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B00EA5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h] 1_2_00B00EA5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00ACFE87 mov eax, dword ptr fs:[00000030h] 1_2_00ACFE87
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A616E0 mov ecx, dword ptr fs:[00000030h] 1_2_00A616E0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A476E2 mov eax, dword ptr fs:[00000030h] 1_2_00A476E2
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A78EC7 mov eax, dword ptr fs:[00000030h] 1_2_00A78EC7
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00B08ED6 mov eax, dword ptr fs:[00000030h] 1_2_00B08ED6
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A636CC mov eax, dword ptr fs:[00000030h] 1_2_00A636CC
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AEFEC0 mov eax, dword ptr fs:[00000030h] 1_2_00AEFEC0
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3E620 mov eax, dword ptr fs:[00000030h] 1_2_00A3E620
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AEFE3F mov eax, dword ptr fs:[00000030h] 1_2_00AEFE3F
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h] 1_2_00A3C600
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h] 1_2_00A3C600
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h] 1_2_00A3C600
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A68E00 mov eax, dword ptr fs:[00000030h] 1_2_00A68E00
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AF1608 mov eax, dword ptr fs:[00000030h] 1_2_00AF1608
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h] 1_2_00A6A61C
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h] 1_2_00A6A61C
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A4766D mov eax, dword ptr fs:[00000030h] 1_2_00A4766D
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A5AE73
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h] 1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h] 1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h] 1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h] 1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h] 1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h] 1_2_00A47E41
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h] 1_2_00AFAE44
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h] 1_2_00AFAE44
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A48794 mov eax, dword ptr fs:[00000030h] 1_2_00A48794
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h] 1_2_00AB7794
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h] 1_2_00AB7794
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h] 1_2_00AB7794
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A737F5 mov eax, dword ptr fs:[00000030h] 1_2_00A737F5
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h] 1_2_00A34F2E
Source: C:\Users\user\Desktop\PO.exe Code function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h] 1_2_00A34F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D78CD6 mov eax, dword ptr fs:[00000030h] 10_2_04D78CD6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3B8D0 mov ecx, dword ptr fs:[00000030h] 10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h] 10_2_04D3B8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h] 10_2_04D26CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h] 10_2_04D26CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h] 10_2_04D26CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA58EC mov eax, dword ptr fs:[00000030h] 10_2_04CA58EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D614FB mov eax, dword ptr fs:[00000030h] 10_2_04D614FB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9080 mov eax, dword ptr fs:[00000030h] 10_2_04CA9080
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB849B mov eax, dword ptr fs:[00000030h] 10_2_04CB849B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D23884 mov eax, dword ptr fs:[00000030h] 10_2_04D23884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D23884 mov eax, dword ptr fs:[00000030h] 10_2_04D23884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE90AF mov eax, dword ptr fs:[00000030h] 10_2_04CE90AF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD20A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDF0BF mov ecx, dword ptr fs:[00000030h] 10_2_04CDF0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDF0BF mov eax, dword ptr fs:[00000030h] 10_2_04CDF0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDF0BF mov eax, dword ptr fs:[00000030h] 10_2_04CDF0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3C450 mov eax, dword ptr fs:[00000030h] 10_2_04D3C450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3C450 mov eax, dword ptr fs:[00000030h] 10_2_04D3C450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDA44B mov eax, dword ptr fs:[00000030h] 10_2_04CDA44B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC0050 mov eax, dword ptr fs:[00000030h] 10_2_04CC0050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC0050 mov eax, dword ptr fs:[00000030h] 10_2_04CC0050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC746D mov eax, dword ptr fs:[00000030h] 10_2_04CC746D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D71074 mov eax, dword ptr fs:[00000030h] 10_2_04D71074
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D62073 mov eax, dword ptr fs:[00000030h] 10_2_04D62073
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D74015 mov eax, dword ptr fs:[00000030h] 10_2_04D74015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D74015 mov eax, dword ptr fs:[00000030h] 10_2_04D74015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h] 10_2_04D27016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h] 10_2_04D27016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h] 10_2_04D27016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h] 10_2_04D61C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h] 10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h] 10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h] 10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h] 10_2_04D26C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h] 10_2_04D7740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h] 10_2_04D7740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h] 10_2_04D7740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h] 10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h] 10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h] 10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h] 10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h] 10_2_04CD002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h] 10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h] 10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h] 10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h] 10_2_04CBB02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDBC2C mov eax, dword ptr fs:[00000030h] 10_2_04CDBC2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26DC9 mov ecx, dword ptr fs:[00000030h] 10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h] 10_2_04D26DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D58DF1 mov eax, dword ptr fs:[00000030h] 10_2_04D58DF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h] 10_2_04CAB1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h] 10_2_04CAB1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h] 10_2_04CAB1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBD5E0 mov eax, dword ptr fs:[00000030h] 10_2_04CBD5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBD5E0 mov eax, dword ptr fs:[00000030h] 10_2_04CBD5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D341E8 mov eax, dword ptr fs:[00000030h] 10_2_04D341E8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h] 10_2_04CA2D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDA185 mov eax, dword ptr fs:[00000030h] 10_2_04CDA185
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h] 10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h] 10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h] 10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h] 10_2_04CD2581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCC182 mov eax, dword ptr fs:[00000030h] 10_2_04CCC182
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDFD9B mov eax, dword ptr fs:[00000030h] 10_2_04CDFD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDFD9B mov eax, dword ptr fs:[00000030h] 10_2_04CDFD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2990 mov eax, dword ptr fs:[00000030h] 10_2_04CD2990
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD35A1 mov eax, dword ptr fs:[00000030h] 10_2_04CD35A1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h] 10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h] 10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h] 10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h] 10_2_04D251BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD61A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD61A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD61A0 mov eax, dword ptr fs:[00000030h] 10_2_04CD61A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D269A6 mov eax, dword ptr fs:[00000030h] 10_2_04D269A6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h] 10_2_04CD1DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h] 10_2_04CD1DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h] 10_2_04CD1DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D705AC mov eax, dword ptr fs:[00000030h] 10_2_04D705AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D705AC mov eax, dword ptr fs:[00000030h] 10_2_04D705AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCB944 mov eax, dword ptr fs:[00000030h] 10_2_04CCB944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCB944 mov eax, dword ptr fs:[00000030h] 10_2_04CCB944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE3D43 mov eax, dword ptr fs:[00000030h] 10_2_04CE3D43
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D23540 mov eax, dword ptr fs:[00000030h] 10_2_04D23540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC7D50 mov eax, dword ptr fs:[00000030h] 10_2_04CC7D50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAC962 mov eax, dword ptr fs:[00000030h] 10_2_04CAC962
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAB171 mov eax, dword ptr fs:[00000030h] 10_2_04CAB171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAB171 mov eax, dword ptr fs:[00000030h] 10_2_04CAB171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCC577 mov eax, dword ptr fs:[00000030h] 10_2_04CCC577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCC577 mov eax, dword ptr fs:[00000030h] 10_2_04CCC577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h] 10_2_04CA9100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h] 10_2_04CA9100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h] 10_2_04CA9100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D78D34 mov eax, dword ptr fs:[00000030h] 10_2_04D78D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D2A537 mov eax, dword ptr fs:[00000030h] 10_2_04D2A537
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h] 10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h] 10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h] 10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h] 10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC4120 mov ecx, dword ptr fs:[00000030h] 10_2_04CC4120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h] 10_2_04CD4D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h] 10_2_04CD4D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h] 10_2_04CD4D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD513A mov eax, dword ptr fs:[00000030h] 10_2_04CD513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD513A mov eax, dword ptr fs:[00000030h] 10_2_04CD513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAAD30 mov eax, dword ptr fs:[00000030h] 10_2_04CAAD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h] 10_2_04CB3D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D78ED6 mov eax, dword ptr fs:[00000030h] 10_2_04D78ED6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD36CC mov eax, dword ptr fs:[00000030h] 10_2_04CD36CC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2ACB mov eax, dword ptr fs:[00000030h] 10_2_04CD2ACB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE8EC7 mov eax, dword ptr fs:[00000030h] 10_2_04CE8EC7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D5FEC0 mov eax, dword ptr fs:[00000030h] 10_2_04D5FEC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB76E2 mov eax, dword ptr fs:[00000030h] 10_2_04CB76E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2AE4 mov eax, dword ptr fs:[00000030h] 10_2_04CD2AE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD16E0 mov ecx, dword ptr fs:[00000030h] 10_2_04CD16E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D3FE87 mov eax, dword ptr fs:[00000030h] 10_2_04D3FE87
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDD294 mov eax, dword ptr fs:[00000030h] 10_2_04CDD294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDD294 mov eax, dword ptr fs:[00000030h] 10_2_04CDD294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h] 10_2_04CA52A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h] 10_2_04D70EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h] 10_2_04D70EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h] 10_2_04D70EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D246A7 mov eax, dword ptr fs:[00000030h] 10_2_04D246A7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBAAB0 mov eax, dword ptr fs:[00000030h] 10_2_04CBAAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CBAAB0 mov eax, dword ptr fs:[00000030h] 10_2_04CBAAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDFAB0 mov eax, dword ptr fs:[00000030h] 10_2_04CDFAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D34257 mov eax, dword ptr fs:[00000030h] 10_2_04D34257
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h] 10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h] 10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h] 10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h] 10_2_04CA9240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h] 10_2_04CB7E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB766D mov eax, dword ptr fs:[00000030h] 10_2_04CB766D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE927A mov eax, dword ptr fs:[00000030h] 10_2_04CE927A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D5B260 mov eax, dword ptr fs:[00000030h] 10_2_04D5B260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D5B260 mov eax, dword ptr fs:[00000030h] 10_2_04D5B260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D78A62 mov eax, dword ptr fs:[00000030h] 10_2_04D78A62
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h] 10_2_04CCAE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB8A0A mov eax, dword ptr fs:[00000030h] 10_2_04CB8A0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h] 10_2_04CAC600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h] 10_2_04CAC600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h] 10_2_04CAC600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD8E00 mov eax, dword ptr fs:[00000030h] 10_2_04CD8E00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CC3A1C mov eax, dword ptr fs:[00000030h] 10_2_04CC3A1C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDA61C mov eax, dword ptr fs:[00000030h] 10_2_04CDA61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDA61C mov eax, dword ptr fs:[00000030h] 10_2_04CDA61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h] 10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA5210 mov ecx, dword ptr fs:[00000030h] 10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h] 10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h] 10_2_04CA5210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAAA16 mov eax, dword ptr fs:[00000030h] 10_2_04CAAA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAAA16 mov eax, dword ptr fs:[00000030h] 10_2_04CAAA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D61608 mov eax, dword ptr fs:[00000030h] 10_2_04D61608
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE4A2C mov eax, dword ptr fs:[00000030h] 10_2_04CE4A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE4A2C mov eax, dword ptr fs:[00000030h] 10_2_04CE4A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D5FE3F mov eax, dword ptr fs:[00000030h] 10_2_04D5FE3F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CAE620 mov eax, dword ptr fs:[00000030h] 10_2_04CAE620
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D253CA mov eax, dword ptr fs:[00000030h] 10_2_04D253CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D253CA mov eax, dword ptr fs:[00000030h] 10_2_04D253CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CCDBE9 mov eax, dword ptr fs:[00000030h] 10_2_04CCDBE9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h] 10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h] 10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h] 10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h] 10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h] 10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h] 10_2_04CD03E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CE37F5 mov eax, dword ptr fs:[00000030h] 10_2_04CE37F5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB1B8F mov eax, dword ptr fs:[00000030h] 10_2_04CB1B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB1B8F mov eax, dword ptr fs:[00000030h] 10_2_04CB1B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h] 10_2_04D27794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h] 10_2_04D27794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h] 10_2_04D27794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D5D380 mov ecx, dword ptr fs:[00000030h] 10_2_04D5D380
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD2397 mov eax, dword ptr fs:[00000030h] 10_2_04CD2397
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04D6138A mov eax, dword ptr fs:[00000030h] 10_2_04D6138A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CDB390 mov eax, dword ptr fs:[00000030h] 10_2_04CDB390
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CB8794 mov eax, dword ptr fs:[00000030h] 10_2_04CB8794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h] 10_2_04CD4BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h] 10_2_04CD4BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h] 10_2_04CD4BAD
Enables debug privileges
Source: C:\Users\user\Desktop\PO.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.cwyxonlp.icu
Source: C:\Windows\explorer.exe Domain query: www.phorice.com
Source: C:\Windows\explorer.exe Domain query: www.websiteworlda-z.com
Source: C:\Windows\explorer.exe Network Connect: 44.227.76.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 194.117.254.63 80 Jump to behavior
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\PO.exe Code function: 0_2_73351000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile, 0_2_73351000
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PO.exe Section loaded: unknown target: C:\Users\user\Desktop\PO.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\PO.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Users\user\Desktop\PO.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread register set: target process: 3472 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\PO.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\PO.exe Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 900000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO.exe Process created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe' Jump to behavior
Source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp, explorer.exe, 00000003.00000002.511285209.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000003.00000002.497174313.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383905 Sample: PO.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 4 other signatures 2->42 10 PO.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\5t94xwjj.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Contains functionality to prevent local Windows debugging 10->58 14 PO.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.websiteworlda-z.com 194.117.254.63, 49693, 80 UDMEDIA-ASDE Germany 17->30 32 www.phorice.com 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.117.254.63
 www.websiteworlda-z.com Germany
199753 UDMEDIA-ASDE true
44.227.76.166
 pixie.porkbun.com United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
www.websiteworlda-z.com 194.117.254.63 true
pixie.porkbun.com 44.227.76.166 true
www.cwyxonlp.icu unknown unknown
www.phorice.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.c-voyageinc.com/r4ei/ true
  • Avira URL Cloud: safe
 low
http://www.phorice.com/r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f true
  • Avira URL Cloud: safe
 unknown
http://www.websiteworlda-z.com/r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f true
  • Avira URL Cloud: safe
 unknown