Analysis Report g1EhgmCqCD.exe

Overview

General Information

Sample Name: g1EhgmCqCD.exe
Analysis ID: 404135
MD5: 5551346aa9f251895021b95a2a7cc390
SHA1: acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA256: 9e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}
Multi AV Scanner detection for submitted file
Source: g1EhgmCqCD.exe Virustotal: Detection: 19% Perma Link
Source: g1EhgmCqCD.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: g1EhgmCqCD.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: g1EhgmCqCD.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: g1EhgmCqCD.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msiexec.pdb source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: msiexec.pdbGCTL source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: g1EhgmCqCD.exe, 00000003.00000002.728612173.0000000001960000.00000040.00000001.sdmp, msiexec.exe, 00000009.00000002.910212121.0000000000E60000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: g1EhgmCqCD.exe, msiexec.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 4x nop then pop edi 3_2_0040C368
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 4x nop then pop esi 3_2_004157FE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 9_2_001DC368
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop esi 9_2_001E57FE

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cats16.com/8u3b/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.kayandbernard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.palomachurch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.gb-contracting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.effectivemarketinginc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.timbraunmusician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.anygivenrunday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.2000deal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNSERVERSUS CNSERVERSUS
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.kayandbernard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.palomachurch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.gb-contracting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.effectivemarketinginc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.timbraunmusician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.anygivenrunday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.2000deal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.kayandbernard.com
Source: g1EhgmCqCD.exe, 00000001.00000003.651135793.0000000005B80000.00000004.00000001.sdmp String found in binary or memory: http://en.wikip
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: g1EhgmCqCD.exe, 00000001.00000002.667858038.00000000029F1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000002.911535792.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com$d
Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comI
Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTC
Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comfr
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comnic
Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comu
Source: g1EhgmCqCD.exe String found in binary or memory: http://www.churchsw.org/church-projector-project
Source: g1EhgmCqCD.exe String found in binary or memory: http://www.churchsw.org/repository/Bibles/
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: g1EhgmCqCD.exe, 00000001.00000003.653172373.0000000005B7E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html3
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: g1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: g1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comiona
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: g1EhgmCqCD.exe, 00000001.00000003.649504763.0000000005B98000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/8
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn6
Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnH
Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnKr4
Source: g1EhgmCqCD.exe, 00000001.00000003.649286426.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnr
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr-
Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krn
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krcom
Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krn-u
Source: explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: msiexec.exe, 00000009.00000002.912045913.00000000049E2000.00000004.00000001.sdmp String found in binary or memory: https://mollysmulligan.com/8u3b/?DzrXY=Q16
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: g1EhgmCqCD.exe, 00000001.00000002.667518282.0000000000CB0000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_004181B0 NtCreateFile, 3_2_004181B0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00418260 NtReadFile, 3_2_00418260
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_004182E0 NtClose, 3_2_004182E0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00418390 NtAllocateVirtualMemory, 3_2_00418390
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00418392 NtAllocateVirtualMemory, 3_2_00418392
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C99A0 NtCreateSection,LdrInitializeThunk, 3_2_019C99A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C95D0 NtClose,LdrInitializeThunk, 3_2_019C95D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_019C9910
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9540 NtReadFile,LdrInitializeThunk, 3_2_019C9540
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_019C98F0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9840 NtDelayExecution,LdrInitializeThunk, 3_2_019C9840
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_019C9860
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_019C9780
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_019C97A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_019C9FE0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_019C9710
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_019C96E0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_019C9A00
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9A20 NtResumeThread,LdrInitializeThunk, 3_2_019C9A20
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9A50 NtCreateFile,LdrInitializeThunk, 3_2_019C9A50
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_019C9660
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C99D0 NtCreateProcessEx, 3_2_019C99D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C95F0 NtQueryInformationFile, 3_2_019C95F0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019CAD30 NtSetContextThread, 3_2_019CAD30
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9520 NtWaitForSingleObject, 3_2_019C9520
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9950 NtQueueApcThread, 3_2_019C9950
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9560 NtWriteFile, 3_2_019C9560
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C98A0 NtWriteVirtualMemory, 3_2_019C98A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9820 NtEnumerateKey, 3_2_019C9820
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019CB040 NtSuspendThread, 3_2_019CB040
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019CA3B0 NtGetContextThread, 3_2_019CA3B0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019CA710 NtOpenProcessToken, 3_2_019CA710
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9B00 NtSetValueKey, 3_2_019C9B00
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9730 NtQueryVirtualMemory, 3_2_019C9730
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9770 NtSetInformationFile, 3_2_019C9770
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019CA770 NtOpenThread, 3_2_019CA770
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9760 NtOpenProcess, 3_2_019C9760
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9A80 NtOpenDirectoryObject, 3_2_019C9A80
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C96D0 NtCreateKey, 3_2_019C96D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9610 NtEnumerateValueKey, 3_2_019C9610
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9A10 NtQuerySection, 3_2_019C9A10
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9650 NtQueryValueKey, 3_2_019C9650
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C9670 NtQueryInformationProcess, 3_2_019C9670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_00EC9860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9840 NtDelayExecution,LdrInitializeThunk, 9_2_00EC9840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC95D0 NtClose,LdrInitializeThunk, 9_2_00EC95D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC99A0 NtCreateSection,LdrInitializeThunk, 9_2_00EC99A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9540 NtReadFile,LdrInitializeThunk, 9_2_00EC9540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_00EC9910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC96E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_00EC96E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC96D0 NtCreateKey,LdrInitializeThunk, 9_2_00EC96D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_00EC9660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9650 NtQueryValueKey,LdrInitializeThunk, 9_2_00EC9650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9A50 NtCreateFile,LdrInitializeThunk, 9_2_00EC9A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9FE0 NtCreateMutant,LdrInitializeThunk, 9_2_00EC9FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9780 NtMapViewOfSection,LdrInitializeThunk, 9_2_00EC9780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9710 NtQueryInformationToken,LdrInitializeThunk, 9_2_00EC9710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC98F0 NtReadVirtualMemory, 9_2_00EC98F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC98A0 NtWriteVirtualMemory, 9_2_00EC98A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00ECB040 NtSuspendThread, 9_2_00ECB040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9820 NtEnumerateKey, 9_2_00EC9820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC95F0 NtQueryInformationFile, 9_2_00EC95F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC99D0 NtCreateProcessEx, 9_2_00EC99D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9560 NtWriteFile, 9_2_00EC9560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9950 NtQueueApcThread, 9_2_00EC9950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9520 NtWaitForSingleObject, 9_2_00EC9520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00ECAD30 NtSetContextThread, 9_2_00ECAD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9A80 NtOpenDirectoryObject, 9_2_00EC9A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9670 NtQueryInformationProcess, 9_2_00EC9670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9A20 NtResumeThread, 9_2_00EC9A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9A00 NtProtectVirtualMemory, 9_2_00EC9A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9610 NtEnumerateValueKey, 9_2_00EC9610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9A10 NtQuerySection, 9_2_00EC9A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC97A0 NtUnmapViewOfSection, 9_2_00EC97A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00ECA3B0 NtGetContextThread, 9_2_00ECA3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9760 NtOpenProcess, 9_2_00EC9760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9770 NtSetInformationFile, 9_2_00EC9770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00ECA770 NtOpenThread, 9_2_00ECA770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9730 NtQueryVirtualMemory, 9_2_00EC9730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC9B00 NtSetValueKey, 9_2_00EC9B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00ECA710 NtOpenProcessToken, 9_2_00ECA710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E81B0 NtCreateFile, 9_2_001E81B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E8260 NtReadFile, 9_2_001E8260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E82E0 NtClose, 9_2_001E82E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E8390 NtAllocateVirtualMemory, 9_2_001E8390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E8392 NtAllocateVirtualMemory, 9_2_001E8392
Detected potential crypto function
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_00CAB264 1_2_00CAB264
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_00CAC2B0 1_2_00CAC2B0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_00CA9990 1_2_00CA9990
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_00CADF71 1_2_00CADF71
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_04F77B3C 1_2_04F77B3C
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_04F7A2D6 1_2_04F7A2D6
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041B944 3_2_0041B944
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041BB84 3_2_0041BB84
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00408C4B 3_2_00408C4B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00408C50 3_2_00408C50
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041BCF5 3_2_0041BCF5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041C5ED 3_2_0041C5ED
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041B70F 3_2_0041B70F
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2581 3_2_019B2581
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A525DD 3_2_01A525DD
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199D5E0 3_2_0199D5E0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198F900 3_2_0198F900
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A52D07 3_2_01A52D07
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01980D20 3_2_01980D20
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A4120 3_2_019A4120
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A51D55 3_2_01A51D55
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199B090 3_2_0199B090
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A520A8 3_2_01A520A8
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B20A0 3_2_019B20A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A528EC 3_2_01A528EC
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199841F 3_2_0199841F
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41002 3_2_01A41002
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BEBB0 3_2_019BEBB0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A51FF1 3_2_01A51FF1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4DBD2 3_2_01A4DBD2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A52B28 3_2_01A52B28
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A522AE 3_2_01A522AE
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A52EF7 3_2_01A52EF7
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A6E30 3_2_019A6E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F528EC 9_2_00F528EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB20A0 9_2_00EB20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F520A8 9_2_00F520A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9B090 9_2_00E9B090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4D466 9_2_00F4D466
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41002 9_2_00F41002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9841F 9_2_00E9841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9D5E0 9_2_00E9D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F525DD 9_2_00F525DD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2581 9_2_00EB2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F51D55 9_2_00F51D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E80D20 9_2_00E80D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA4120 9_2_00EA4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8F900 9_2_00E8F900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F52D07 9_2_00F52D07
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F52EF7 9_2_00F52EF7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F522AE 9_2_00F522AE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA6E30 9_2_00EA6E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F51FF1 9_2_00F51FF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4DBD2 9_2_00F4DBD2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBEBB0 9_2_00EBEBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F52B28 9_2_00F52B28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EB944 9_2_001EB944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EBB84 9_2_001EBB84
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001D8C50 9_2_001D8C50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001D8C4B 9_2_001D8C4B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EBCF5 9_2_001EBCF5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001D2D90 9_2_001D2D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EC5ED 9_2_001EC5ED
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001D2FB0 9_2_001D2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: String function: 0198B150 appears 35 times
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 00E8B150 appears 35 times
PE file contains executable resources (Code or Archives)
Source: g1EhgmCqCD.exe Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: g1EhgmCqCD.exe Binary or memory string: OriginalFilename vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000001.00000000.643686589.00000000005B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000001.00000002.667518282.0000000000CB0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000001.00000002.673721469.00000000072E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000001.00000002.672157538.0000000005AB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameIEFRAME.DLLD vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000001.00000002.672229683.0000000005B30000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000001.00000002.675343588.0000000008E80000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe Binary or memory string: OriginalFilename vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000003.00000000.665930767.0000000000E62000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000003.00000002.736288628.000000000379F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamemsiexec.exeX vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe, 00000003.00000002.728784074.0000000001A7F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs g1EhgmCqCD.exe
Source: g1EhgmCqCD.exe Binary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: g1EhgmCqCD.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: g1EhgmCqCD.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@13/5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g1EhgmCqCD.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
Source: g1EhgmCqCD.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: g1EhgmCqCD.exe Virustotal: Detection: 19%
Source: g1EhgmCqCD.exe ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Users\user\Desktop\g1EhgmCqCD.exe 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe' Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: g1EhgmCqCD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: g1EhgmCqCD.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: msiexec.pdb source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: msiexec.pdbGCTL source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: g1EhgmCqCD.exe, 00000003.00000002.728612173.0000000001960000.00000040.00000001.sdmp, msiexec.exe, 00000009.00000002.910212121.0000000000E60000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: g1EhgmCqCD.exe, msiexec.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_04F7AE57 push 5D028C22h; ret 1_2_04F7AE4E
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_04F74E41 push eax; ret 1_2_04F74E53
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 1_2_04F7CF58 push eax; retf 1_2_04F7CF61
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00415AFB push eax; iretd 3_2_00415B02
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041B3F2 push eax; ret 3_2_0041B3F8
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041B3FB push eax; ret 3_2_0041B462
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041B3A5 push eax; ret 3_2_0041B3F8
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0041B45C push eax; ret 3_2_0041B462
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00414E3F push edx; retf 3_2_00414E4D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00415FF0 push es; iretd 3_2_00415FF1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019DD0D1 push ecx; ret 3_2_019DD0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EDD0D1 push ecx; ret 9_2_00EDD0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E5AFB push eax; iretd 9_2_001E5B02
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EB3A5 push eax; ret 9_2_001EB3F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EB3FB push eax; ret 9_2_001EB462
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EB3F2 push eax; ret 9_2_001EB3F8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001EB45C push eax; ret 9_2_001EB462
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E4E3F push edx; retf 9_2_001E4E4D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_001E5FF0 push es; iretd 9_2_001E5FF1
Source: initial sample Static PE information: section name: .text entropy: 7.63788106715
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: g1EhgmCqCD.exe PID: 7100, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 00000000001D85E4 second address: 00000000001D85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msiexec.exe RDTSC instruction interceptor: First address: 00000000001D896E second address: 00000000001D8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_004088A0 rdtsc 3_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe TID: 7144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe TID: 7104 Thread sleep time: -104000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe TID: 7132 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6184 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5660 Thread sleep time: -42000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread delayed: delay time: 104000 Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.698332601.000000000FCE8000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.686782958.0000000004710000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.693765738.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: vmware
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000002.922317177.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.693765738.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.694412847.000000000A9CC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%%
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000002.919520811.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.693874904.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000004.00000000.693874904.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: g1EhgmCqCD.exe, 00000001.00000002.667561253.0000000000CEF000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000004.00000002.921706000.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_004088A0 rdtsc 3_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_00409B10 LdrLoadDll, 3_2_00409B10
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BFD9B mov eax, dword ptr fs:[00000030h] 3_2_019BFD9B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BFD9B mov eax, dword ptr fs:[00000030h] 3_2_019BFD9B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A069A6 mov eax, dword ptr fs:[00000030h] 3_2_01A069A6
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A505AC mov eax, dword ptr fs:[00000030h] 3_2_01A505AC
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A505AC mov eax, dword ptr fs:[00000030h] 3_2_01A505AC
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2990 mov eax, dword ptr fs:[00000030h] 3_2_019B2990
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h] 3_2_01982D8A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h] 3_2_01982D8A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h] 3_2_01982D8A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h] 3_2_01982D8A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01982D8A mov eax, dword ptr fs:[00000030h] 3_2_01982D8A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AC182 mov eax, dword ptr fs:[00000030h] 3_2_019AC182
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h] 3_2_019B2581
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h] 3_2_019B2581
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h] 3_2_019B2581
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2581 mov eax, dword ptr fs:[00000030h] 3_2_019B2581
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BA185 mov eax, dword ptr fs:[00000030h] 3_2_019BA185
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h] 3_2_01A051BE
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h] 3_2_01A051BE
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h] 3_2_01A051BE
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A051BE mov eax, dword ptr fs:[00000030h] 3_2_01A051BE
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h] 3_2_019B1DB5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h] 3_2_019B1DB5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B1DB5 mov eax, dword ptr fs:[00000030h] 3_2_019B1DB5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B35A1 mov eax, dword ptr fs:[00000030h] 3_2_019B35A1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B61A0 mov eax, dword ptr fs:[00000030h] 3_2_019B61A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B61A0 mov eax, dword ptr fs:[00000030h] 3_2_019B61A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A4FDE2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A4FDE2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A4FDE2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4FDE2 mov eax, dword ptr fs:[00000030h] 3_2_01A4FDE2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A141E8 mov eax, dword ptr fs:[00000030h] 3_2_01A141E8
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A38DF1 mov eax, dword ptr fs:[00000030h] 3_2_01A38DF1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A06DC9
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A06DC9
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A06DC9
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06DC9 mov ecx, dword ptr fs:[00000030h] 3_2_01A06DC9
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A06DC9
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06DC9 mov eax, dword ptr fs:[00000030h] 3_2_01A06DC9
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0198B1E1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0198B1E1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198B1E1 mov eax, dword ptr fs:[00000030h] 3_2_0198B1E1
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0199D5E0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199D5E0 mov eax, dword ptr fs:[00000030h] 3_2_0199D5E0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A58D34 mov eax, dword ptr fs:[00000030h] 3_2_01A58D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A0A537 mov eax, dword ptr fs:[00000030h] 3_2_01A0A537
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989100 mov eax, dword ptr fs:[00000030h] 3_2_01989100
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989100 mov eax, dword ptr fs:[00000030h] 3_2_01989100
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989100 mov eax, dword ptr fs:[00000030h] 3_2_01989100
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4E539 mov eax, dword ptr fs:[00000030h] 3_2_01A4E539
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h] 3_2_019B4D3B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h] 3_2_019B4D3B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B4D3B mov eax, dword ptr fs:[00000030h] 3_2_019B4D3B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B513A mov eax, dword ptr fs:[00000030h] 3_2_019B513A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B513A mov eax, dword ptr fs:[00000030h] 3_2_019B513A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198AD30 mov eax, dword ptr fs:[00000030h] 3_2_0198AD30
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01993D34 mov eax, dword ptr fs:[00000030h] 3_2_01993D34
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h] 3_2_019A4120
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h] 3_2_019A4120
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h] 3_2_019A4120
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A4120 mov eax, dword ptr fs:[00000030h] 3_2_019A4120
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A4120 mov ecx, dword ptr fs:[00000030h] 3_2_019A4120
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A7D50 mov eax, dword ptr fs:[00000030h] 3_2_019A7D50
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AB944 mov eax, dword ptr fs:[00000030h] 3_2_019AB944
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AB944 mov eax, dword ptr fs:[00000030h] 3_2_019AB944
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C3D43 mov eax, dword ptr fs:[00000030h] 3_2_019C3D43
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A03540 mov eax, dword ptr fs:[00000030h] 3_2_01A03540
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198B171 mov eax, dword ptr fs:[00000030h] 3_2_0198B171
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198B171 mov eax, dword ptr fs:[00000030h] 3_2_0198B171
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AC577 mov eax, dword ptr fs:[00000030h] 3_2_019AC577
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AC577 mov eax, dword ptr fs:[00000030h] 3_2_019AC577
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198C962 mov eax, dword ptr fs:[00000030h] 3_2_0198C962
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199849B mov eax, dword ptr fs:[00000030h] 3_2_0199849B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989080 mov eax, dword ptr fs:[00000030h] 3_2_01989080
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BF0BF mov ecx, dword ptr fs:[00000030h] 3_2_019BF0BF
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BF0BF mov eax, dword ptr fs:[00000030h] 3_2_019BF0BF
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BF0BF mov eax, dword ptr fs:[00000030h] 3_2_019BF0BF
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A03884 mov eax, dword ptr fs:[00000030h] 3_2_01A03884
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A03884 mov eax, dword ptr fs:[00000030h] 3_2_01A03884
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C90AF mov eax, dword ptr fs:[00000030h] 3_2_019C90AF
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h] 3_2_019B20A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h] 3_2_019B20A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h] 3_2_019B20A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h] 3_2_019B20A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h] 3_2_019B20A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B20A0 mov eax, dword ptr fs:[00000030h] 3_2_019B20A0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h] 3_2_01A06CF0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h] 3_2_01A06CF0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06CF0 mov eax, dword ptr fs:[00000030h] 3_2_01A06CF0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A414FB mov eax, dword ptr fs:[00000030h] 3_2_01A414FB
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1B8D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_01A1B8D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1B8D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1B8D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1B8D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1B8D0 mov eax, dword ptr fs:[00000030h] 3_2_01A1B8D0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A58CD6 mov eax, dword ptr fs:[00000030h] 3_2_01A58CD6
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019858EC mov eax, dword ptr fs:[00000030h] 3_2_019858EC
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41C06 mov eax, dword ptr fs:[00000030h] 3_2_01A41C06
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h] 3_2_01A5740D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h] 3_2_01A5740D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A5740D mov eax, dword ptr fs:[00000030h] 3_2_01A5740D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h] 3_2_01A06C0A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h] 3_2_01A06C0A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h] 3_2_01A06C0A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A06C0A mov eax, dword ptr fs:[00000030h] 3_2_01A06C0A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A54015 mov eax, dword ptr fs:[00000030h] 3_2_01A54015
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A54015 mov eax, dword ptr fs:[00000030h] 3_2_01A54015
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h] 3_2_0199B02A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h] 3_2_0199B02A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h] 3_2_0199B02A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199B02A mov eax, dword ptr fs:[00000030h] 3_2_0199B02A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h] 3_2_01A07016
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h] 3_2_01A07016
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A07016 mov eax, dword ptr fs:[00000030h] 3_2_01A07016
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h] 3_2_019B002D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h] 3_2_019B002D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h] 3_2_019B002D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h] 3_2_019B002D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B002D mov eax, dword ptr fs:[00000030h] 3_2_019B002D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BBC2C mov eax, dword ptr fs:[00000030h] 3_2_019BBC2C
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A0050 mov eax, dword ptr fs:[00000030h] 3_2_019A0050
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A0050 mov eax, dword ptr fs:[00000030h] 3_2_019A0050
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BA44B mov eax, dword ptr fs:[00000030h] 3_2_019BA44B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A51074 mov eax, dword ptr fs:[00000030h] 3_2_01A51074
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A42073 mov eax, dword ptr fs:[00000030h] 3_2_01A42073
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1C450 mov eax, dword ptr fs:[00000030h] 3_2_01A1C450
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1C450 mov eax, dword ptr fs:[00000030h] 3_2_01A1C450
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A746D mov eax, dword ptr fs:[00000030h] 3_2_019A746D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A55BA5 mov eax, dword ptr fs:[00000030h] 3_2_01A55BA5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BB390 mov eax, dword ptr fs:[00000030h] 3_2_019BB390
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2397 mov eax, dword ptr fs:[00000030h] 3_2_019B2397
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01998794 mov eax, dword ptr fs:[00000030h] 3_2_01998794
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01991B8F mov eax, dword ptr fs:[00000030h] 3_2_01991B8F
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01991B8F mov eax, dword ptr fs:[00000030h] 3_2_01991B8F
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A3D380 mov ecx, dword ptr fs:[00000030h] 3_2_01A3D380
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4138A mov eax, dword ptr fs:[00000030h] 3_2_01A4138A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h] 3_2_01A07794
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h] 3_2_01A07794
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A07794 mov eax, dword ptr fs:[00000030h] 3_2_01A07794
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h] 3_2_019B4BAD
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h] 3_2_019B4BAD
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B4BAD mov eax, dword ptr fs:[00000030h] 3_2_019B4BAD
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C37F5 mov eax, dword ptr fs:[00000030h] 3_2_019C37F5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A053CA mov eax, dword ptr fs:[00000030h] 3_2_01A053CA
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A053CA mov eax, dword ptr fs:[00000030h] 3_2_01A053CA
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019ADBE9 mov eax, dword ptr fs:[00000030h] 3_2_019ADBE9
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h] 3_2_019B03E2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h] 3_2_019B03E2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h] 3_2_019B03E2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h] 3_2_019B03E2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h] 3_2_019B03E2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B03E2 mov eax, dword ptr fs:[00000030h] 3_2_019B03E2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AF716 mov eax, dword ptr fs:[00000030h] 3_2_019AF716
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BA70E mov eax, dword ptr fs:[00000030h] 3_2_019BA70E
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BA70E mov eax, dword ptr fs:[00000030h] 3_2_019BA70E
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A5070D mov eax, dword ptr fs:[00000030h] 3_2_01A5070D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A5070D mov eax, dword ptr fs:[00000030h] 3_2_01A5070D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BE730 mov eax, dword ptr fs:[00000030h] 3_2_019BE730
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1FF10 mov eax, dword ptr fs:[00000030h] 3_2_01A1FF10
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1FF10 mov eax, dword ptr fs:[00000030h] 3_2_01A1FF10
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01984F2E mov eax, dword ptr fs:[00000030h] 3_2_01984F2E
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01984F2E mov eax, dword ptr fs:[00000030h] 3_2_01984F2E
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4131B mov eax, dword ptr fs:[00000030h] 3_2_01A4131B
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198F358 mov eax, dword ptr fs:[00000030h] 3_2_0198F358
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A58F6A mov eax, dword ptr fs:[00000030h] 3_2_01A58F6A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198DB40 mov eax, dword ptr fs:[00000030h] 3_2_0198DB40
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199EF40 mov eax, dword ptr fs:[00000030h] 3_2_0199EF40
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B3B7A mov eax, dword ptr fs:[00000030h] 3_2_019B3B7A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B3B7A mov eax, dword ptr fs:[00000030h] 3_2_019B3B7A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198DB60 mov ecx, dword ptr fs:[00000030h] 3_2_0198DB60
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199FF60 mov eax, dword ptr fs:[00000030h] 3_2_0199FF60
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A58B58 mov eax, dword ptr fs:[00000030h] 3_2_01A58B58
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h] 3_2_01A50EA5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h] 3_2_01A50EA5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A50EA5 mov eax, dword ptr fs:[00000030h] 3_2_01A50EA5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A046A7 mov eax, dword ptr fs:[00000030h] 3_2_01A046A7
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BD294 mov eax, dword ptr fs:[00000030h] 3_2_019BD294
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BD294 mov eax, dword ptr fs:[00000030h] 3_2_019BD294
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A1FE87 mov eax, dword ptr fs:[00000030h] 3_2_01A1FE87
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0199AAB0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199AAB0 mov eax, dword ptr fs:[00000030h] 3_2_0199AAB0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BFAB0 mov eax, dword ptr fs:[00000030h] 3_2_019BFAB0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h] 3_2_019852A5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h] 3_2_019852A5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h] 3_2_019852A5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h] 3_2_019852A5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019852A5 mov eax, dword ptr fs:[00000030h] 3_2_019852A5
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2ACB mov eax, dword ptr fs:[00000030h] 3_2_019B2ACB
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B36CC mov eax, dword ptr fs:[00000030h] 3_2_019B36CC
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C8EC7 mov eax, dword ptr fs:[00000030h] 3_2_019C8EC7
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A3FEC0 mov eax, dword ptr fs:[00000030h] 3_2_01A3FEC0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A58ED6 mov eax, dword ptr fs:[00000030h] 3_2_01A58ED6
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B16E0 mov ecx, dword ptr fs:[00000030h] 3_2_019B16E0
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019976E2 mov eax, dword ptr fs:[00000030h] 3_2_019976E2
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B2AE4 mov eax, dword ptr fs:[00000030h] 3_2_019B2AE4
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019A3A1C mov eax, dword ptr fs:[00000030h] 3_2_019A3A1C
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BA61C mov eax, dword ptr fs:[00000030h] 3_2_019BA61C
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019BA61C mov eax, dword ptr fs:[00000030h] 3_2_019BA61C
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01985210 mov eax, dword ptr fs:[00000030h] 3_2_01985210
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01985210 mov ecx, dword ptr fs:[00000030h] 3_2_01985210
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01985210 mov eax, dword ptr fs:[00000030h] 3_2_01985210
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01985210 mov eax, dword ptr fs:[00000030h] 3_2_01985210
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198AA16 mov eax, dword ptr fs:[00000030h] 3_2_0198AA16
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198AA16 mov eax, dword ptr fs:[00000030h] 3_2_0198AA16
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01998A0A mov eax, dword ptr fs:[00000030h] 3_2_01998A0A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h] 3_2_0198C600
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h] 3_2_0198C600
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198C600 mov eax, dword ptr fs:[00000030h] 3_2_0198C600
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019B8E00 mov eax, dword ptr fs:[00000030h] 3_2_019B8E00
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A3FE3F mov eax, dword ptr fs:[00000030h] 3_2_01A3FE3F
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A41608 mov eax, dword ptr fs:[00000030h] 3_2_01A41608
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C4A2C mov eax, dword ptr fs:[00000030h] 3_2_019C4A2C
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C4A2C mov eax, dword ptr fs:[00000030h] 3_2_019C4A2C
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0198E620 mov eax, dword ptr fs:[00000030h] 3_2_0198E620
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A3B260 mov eax, dword ptr fs:[00000030h] 3_2_01A3B260
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A3B260 mov eax, dword ptr fs:[00000030h] 3_2_01A3B260
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A58A62 mov eax, dword ptr fs:[00000030h] 3_2_01A58A62
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h] 3_2_01989240
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h] 3_2_01989240
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h] 3_2_01989240
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01989240 mov eax, dword ptr fs:[00000030h] 3_2_01989240
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h] 3_2_01997E41
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h] 3_2_01997E41
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h] 3_2_01997E41
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h] 3_2_01997E41
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h] 3_2_01997E41
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01997E41 mov eax, dword ptr fs:[00000030h] 3_2_01997E41
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4AE44 mov eax, dword ptr fs:[00000030h] 3_2_01A4AE44
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4AE44 mov eax, dword ptr fs:[00000030h] 3_2_01A4AE44
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019C927A mov eax, dword ptr fs:[00000030h] 3_2_019C927A
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h] 3_2_019AAE73
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h] 3_2_019AAE73
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h] 3_2_019AAE73
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h] 3_2_019AAE73
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_019AAE73 mov eax, dword ptr fs:[00000030h] 3_2_019AAE73
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A4EA55 mov eax, dword ptr fs:[00000030h] 3_2_01A4EA55
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_0199766D mov eax, dword ptr fs:[00000030h] 3_2_0199766D
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Code function: 3_2_01A14257 mov eax, dword ptr fs:[00000030h] 3_2_01A14257
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06CF0 mov eax, dword ptr fs:[00000030h] 9_2_00F06CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06CF0 mov eax, dword ptr fs:[00000030h] 9_2_00F06CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06CF0 mov eax, dword ptr fs:[00000030h] 9_2_00F06CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E858EC mov eax, dword ptr fs:[00000030h] 9_2_00E858EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F414FB mov eax, dword ptr fs:[00000030h] 9_2_00F414FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00F1B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1B8D0 mov ecx, dword ptr fs:[00000030h] 9_2_00F1B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00F1B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00F1B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00F1B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 9_2_00F1B8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F58CD6 mov eax, dword ptr fs:[00000030h] 9_2_00F58CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC90AF mov eax, dword ptr fs:[00000030h] 9_2_00EC90AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB20A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBF0BF mov ecx, dword ptr fs:[00000030h] 9_2_00EBF0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBF0BF mov eax, dword ptr fs:[00000030h] 9_2_00EBF0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBF0BF mov eax, dword ptr fs:[00000030h] 9_2_00EBF0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89080 mov eax, dword ptr fs:[00000030h] 9_2_00E89080
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9849B mov eax, dword ptr fs:[00000030h] 9_2_00E9849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F03884 mov eax, dword ptr fs:[00000030h] 9_2_00F03884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F03884 mov eax, dword ptr fs:[00000030h] 9_2_00F03884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F51074 mov eax, dword ptr fs:[00000030h] 9_2_00F51074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F42073 mov eax, dword ptr fs:[00000030h] 9_2_00F42073
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA746D mov eax, dword ptr fs:[00000030h] 9_2_00EA746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBA44B mov eax, dword ptr fs:[00000030h] 9_2_00EBA44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1C450 mov eax, dword ptr fs:[00000030h] 9_2_00F1C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1C450 mov eax, dword ptr fs:[00000030h] 9_2_00F1C450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA0050 mov eax, dword ptr fs:[00000030h] 9_2_00EA0050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA0050 mov eax, dword ptr fs:[00000030h] 9_2_00EA0050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h] 9_2_00E9B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h] 9_2_00E9B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h] 9_2_00E9B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9B02A mov eax, dword ptr fs:[00000030h] 9_2_00E9B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h] 9_2_00EB002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h] 9_2_00EB002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h] 9_2_00EB002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h] 9_2_00EB002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB002D mov eax, dword ptr fs:[00000030h] 9_2_00EB002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBBC2C mov eax, dword ptr fs:[00000030h] 9_2_00EBBC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F54015 mov eax, dword ptr fs:[00000030h] 9_2_00F54015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F54015 mov eax, dword ptr fs:[00000030h] 9_2_00F54015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F07016 mov eax, dword ptr fs:[00000030h] 9_2_00F07016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F07016 mov eax, dword ptr fs:[00000030h] 9_2_00F07016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F07016 mov eax, dword ptr fs:[00000030h] 9_2_00F07016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41C06 mov eax, dword ptr fs:[00000030h] 9_2_00F41C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F5740D mov eax, dword ptr fs:[00000030h] 9_2_00F5740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F5740D mov eax, dword ptr fs:[00000030h] 9_2_00F5740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F5740D mov eax, dword ptr fs:[00000030h] 9_2_00F5740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h] 9_2_00F06C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h] 9_2_00F06C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h] 9_2_00F06C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06C0A mov eax, dword ptr fs:[00000030h] 9_2_00F06C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F38DF1 mov eax, dword ptr fs:[00000030h] 9_2_00F38DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00E8B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00E8B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8B1E1 mov eax, dword ptr fs:[00000030h] 9_2_00E8B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9D5E0 mov eax, dword ptr fs:[00000030h] 9_2_00E9D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9D5E0 mov eax, dword ptr fs:[00000030h] 9_2_00E9D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00F4FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00F4FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00F4FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4FDE2 mov eax, dword ptr fs:[00000030h] 9_2_00F4FDE2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F141E8 mov eax, dword ptr fs:[00000030h] 9_2_00F141E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h] 9_2_00F06DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h] 9_2_00F06DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h] 9_2_00F06DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06DC9 mov ecx, dword ptr fs:[00000030h] 9_2_00F06DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h] 9_2_00F06DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F06DC9 mov eax, dword ptr fs:[00000030h] 9_2_00F06DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB35A1 mov eax, dword ptr fs:[00000030h] 9_2_00EB35A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB61A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB61A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB61A0 mov eax, dword ptr fs:[00000030h] 9_2_00EB61A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h] 9_2_00F051BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h] 9_2_00F051BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h] 9_2_00F051BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F051BE mov eax, dword ptr fs:[00000030h] 9_2_00F051BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F069A6 mov eax, dword ptr fs:[00000030h] 9_2_00F069A6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F505AC mov eax, dword ptr fs:[00000030h] 9_2_00F505AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F505AC mov eax, dword ptr fs:[00000030h] 9_2_00F505AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB1DB5 mov eax, dword ptr fs:[00000030h] 9_2_00EB1DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB1DB5 mov eax, dword ptr fs:[00000030h] 9_2_00EB1DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB1DB5 mov eax, dword ptr fs:[00000030h] 9_2_00EB1DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h] 9_2_00E82D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h] 9_2_00E82D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h] 9_2_00E82D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h] 9_2_00E82D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E82D8A mov eax, dword ptr fs:[00000030h] 9_2_00E82D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAC182 mov eax, dword ptr fs:[00000030h] 9_2_00EAC182
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h] 9_2_00EB2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h] 9_2_00EB2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h] 9_2_00EB2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2581 mov eax, dword ptr fs:[00000030h] 9_2_00EB2581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBA185 mov eax, dword ptr fs:[00000030h] 9_2_00EBA185
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBFD9B mov eax, dword ptr fs:[00000030h] 9_2_00EBFD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBFD9B mov eax, dword ptr fs:[00000030h] 9_2_00EBFD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2990 mov eax, dword ptr fs:[00000030h] 9_2_00EB2990
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8C962 mov eax, dword ptr fs:[00000030h] 9_2_00E8C962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8B171 mov eax, dword ptr fs:[00000030h] 9_2_00E8B171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8B171 mov eax, dword ptr fs:[00000030h] 9_2_00E8B171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAC577 mov eax, dword ptr fs:[00000030h] 9_2_00EAC577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAC577 mov eax, dword ptr fs:[00000030h] 9_2_00EAC577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAB944 mov eax, dword ptr fs:[00000030h] 9_2_00EAB944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAB944 mov eax, dword ptr fs:[00000030h] 9_2_00EAB944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC3D43 mov eax, dword ptr fs:[00000030h] 9_2_00EC3D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F03540 mov eax, dword ptr fs:[00000030h] 9_2_00F03540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA7D50 mov eax, dword ptr fs:[00000030h] 9_2_00EA7D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F58D34 mov eax, dword ptr fs:[00000030h] 9_2_00F58D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F0A537 mov eax, dword ptr fs:[00000030h] 9_2_00F0A537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h] 9_2_00EA4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h] 9_2_00EA4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h] 9_2_00EA4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA4120 mov eax, dword ptr fs:[00000030h] 9_2_00EA4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA4120 mov ecx, dword ptr fs:[00000030h] 9_2_00EA4120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4E539 mov eax, dword ptr fs:[00000030h] 9_2_00F4E539
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB4D3B mov eax, dword ptr fs:[00000030h] 9_2_00EB4D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB4D3B mov eax, dword ptr fs:[00000030h] 9_2_00EB4D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB4D3B mov eax, dword ptr fs:[00000030h] 9_2_00EB4D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB513A mov eax, dword ptr fs:[00000030h] 9_2_00EB513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB513A mov eax, dword ptr fs:[00000030h] 9_2_00EB513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8AD30 mov eax, dword ptr fs:[00000030h] 9_2_00E8AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E93D34 mov eax, dword ptr fs:[00000030h] 9_2_00E93D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89100 mov eax, dword ptr fs:[00000030h] 9_2_00E89100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89100 mov eax, dword ptr fs:[00000030h] 9_2_00E89100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89100 mov eax, dword ptr fs:[00000030h] 9_2_00E89100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB16E0 mov ecx, dword ptr fs:[00000030h] 9_2_00EB16E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E976E2 mov eax, dword ptr fs:[00000030h] 9_2_00E976E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2AE4 mov eax, dword ptr fs:[00000030h] 9_2_00EB2AE4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB2ACB mov eax, dword ptr fs:[00000030h] 9_2_00EB2ACB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F58ED6 mov eax, dword ptr fs:[00000030h] 9_2_00F58ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB36CC mov eax, dword ptr fs:[00000030h] 9_2_00EB36CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC8EC7 mov eax, dword ptr fs:[00000030h] 9_2_00EC8EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F3FEC0 mov eax, dword ptr fs:[00000030h] 9_2_00F3FEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h] 9_2_00E852A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h] 9_2_00E852A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h] 9_2_00E852A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h] 9_2_00E852A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E852A5 mov eax, dword ptr fs:[00000030h] 9_2_00E852A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F50EA5 mov eax, dword ptr fs:[00000030h] 9_2_00F50EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F50EA5 mov eax, dword ptr fs:[00000030h] 9_2_00F50EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F50EA5 mov eax, dword ptr fs:[00000030h] 9_2_00F50EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F046A7 mov eax, dword ptr fs:[00000030h] 9_2_00F046A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9AAB0 mov eax, dword ptr fs:[00000030h] 9_2_00E9AAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9AAB0 mov eax, dword ptr fs:[00000030h] 9_2_00E9AAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBFAB0 mov eax, dword ptr fs:[00000030h] 9_2_00EBFAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F1FE87 mov eax, dword ptr fs:[00000030h] 9_2_00F1FE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBD294 mov eax, dword ptr fs:[00000030h] 9_2_00EBD294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBD294 mov eax, dword ptr fs:[00000030h] 9_2_00EBD294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E9766D mov eax, dword ptr fs:[00000030h] 9_2_00E9766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F3B260 mov eax, dword ptr fs:[00000030h] 9_2_00F3B260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F3B260 mov eax, dword ptr fs:[00000030h] 9_2_00F3B260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC927A mov eax, dword ptr fs:[00000030h] 9_2_00EC927A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F58A62 mov eax, dword ptr fs:[00000030h] 9_2_00F58A62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h] 9_2_00EAAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h] 9_2_00EAAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h] 9_2_00EAAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h] 9_2_00EAAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EAAE73 mov eax, dword ptr fs:[00000030h] 9_2_00EAAE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4EA55 mov eax, dword ptr fs:[00000030h] 9_2_00F4EA55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F14257 mov eax, dword ptr fs:[00000030h] 9_2_00F14257
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h] 9_2_00E89240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h] 9_2_00E89240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h] 9_2_00E89240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E89240 mov eax, dword ptr fs:[00000030h] 9_2_00E89240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h] 9_2_00E97E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h] 9_2_00E97E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h] 9_2_00E97E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h] 9_2_00E97E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h] 9_2_00E97E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E97E41 mov eax, dword ptr fs:[00000030h] 9_2_00E97E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4AE44 mov eax, dword ptr fs:[00000030h] 9_2_00F4AE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F4AE44 mov eax, dword ptr fs:[00000030h] 9_2_00F4AE44
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC4A2C mov eax, dword ptr fs:[00000030h] 9_2_00EC4A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC4A2C mov eax, dword ptr fs:[00000030h] 9_2_00EC4A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8E620 mov eax, dword ptr fs:[00000030h] 9_2_00E8E620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F3FE3F mov eax, dword ptr fs:[00000030h] 9_2_00F3FE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E98A0A mov eax, dword ptr fs:[00000030h] 9_2_00E98A0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8C600 mov eax, dword ptr fs:[00000030h] 9_2_00E8C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8C600 mov eax, dword ptr fs:[00000030h] 9_2_00E8C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8C600 mov eax, dword ptr fs:[00000030h] 9_2_00E8C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB8E00 mov eax, dword ptr fs:[00000030h] 9_2_00EB8E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EA3A1C mov eax, dword ptr fs:[00000030h] 9_2_00EA3A1C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBA61C mov eax, dword ptr fs:[00000030h] 9_2_00EBA61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EBA61C mov eax, dword ptr fs:[00000030h] 9_2_00EBA61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E85210 mov eax, dword ptr fs:[00000030h] 9_2_00E85210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E85210 mov ecx, dword ptr fs:[00000030h] 9_2_00E85210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E85210 mov eax, dword ptr fs:[00000030h] 9_2_00E85210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E85210 mov eax, dword ptr fs:[00000030h] 9_2_00E85210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F41608 mov eax, dword ptr fs:[00000030h] 9_2_00F41608
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8AA16 mov eax, dword ptr fs:[00000030h] 9_2_00E8AA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00E8AA16 mov eax, dword ptr fs:[00000030h] 9_2_00E8AA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EADBE9 mov eax, dword ptr fs:[00000030h] 9_2_00EADBE9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h] 9_2_00EB03E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h] 9_2_00EB03E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h] 9_2_00EB03E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h] 9_2_00EB03E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h] 9_2_00EB03E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB03E2 mov eax, dword ptr fs:[00000030h] 9_2_00EB03E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EC37F5 mov eax, dword ptr fs:[00000030h] 9_2_00EC37F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F053CA mov eax, dword ptr fs:[00000030h] 9_2_00F053CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F053CA mov eax, dword ptr fs:[00000030h] 9_2_00F053CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB4BAD mov eax, dword ptr fs:[00000030h] 9_2_00EB4BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB4BAD mov eax, dword ptr fs:[00000030h] 9_2_00EB4BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00EB4BAD mov eax, dword ptr fs:[00000030h] 9_2_00EB4BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F55BA5 mov eax, dword ptr fs:[00000030h] 9_2_00F55BA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F07794 mov eax, dword ptr fs:[00000030h] 9_2_00F07794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 9_2_00F07794 mov eax, dword ptr fs:[00000030h] 9_2_00F07794
Enables debug privileges
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 107.180.51.23 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kayandbernard.com
Source: C:\Windows\explorer.exe Domain query: www.anygivenrunday.com
Source: C:\Windows\explorer.exe Domain query: www.cats16.com
Source: C:\Windows\explorer.exe Network Connect: 172.247.179.61 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gb-contracting.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.fnatic-skins.club
Source: C:\Windows\explorer.exe Domain query: www.benleefoto.com
Source: C:\Windows\explorer.exe Domain query: www.effectivemarketinginc.com
Source: C:\Windows\explorer.exe Domain query: www.donelys.com
Source: C:\Windows\explorer.exe Domain query: www.timbraunmusician.com
Source: C:\Windows\explorer.exe Domain query: www.palomachurch.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.web-evo.com
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Memory written: C:\Users\user\Desktop\g1EhgmCqCD.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1230000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Process created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe' Jump to behavior
Source: explorer.exe, 00000004.00000002.909276935.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.675793329.0000000001080000.00000002.00000001.sdmp, msiexec.exe, 00000009.00000002.911521958.0000000003250000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.693874904.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Users\user\Desktop\g1EhgmCqCD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\g1EhgmCqCD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404135 Sample: g1EhgmCqCD.exe Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 31 www.2000deal.com 2->31 33 www.mollysmulligan.com 2->33 35 2000deal.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 6 other signatures 2->49 11 g1EhgmCqCD.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\g1EhgmCqCD.exe.log, ASCII 11->29 dropped 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Injects a PE file into a foreign processes 11->61 15 g1EhgmCqCD.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.anygivenrunday.com 172.247.179.61, 49768, 80 CNSERVERSUS United States 18->37 39 timbraunmusician.com 107.180.51.23, 49767, 80 AS-26496-GO-DADDY-COM-LLCUS United States 18->39 41 15 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 msiexec.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.247.179.61
www.anygivenrunday.com United States
40065 CNSERVERSUS true
107.180.51.23
timbraunmusician.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
34.102.136.180
2000deal.com United States
15169 GOOGLEUS false
184.168.131.241
kayandbernard.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
198.54.117.216
parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false

Contacted Domains

Name IP Active
kayandbernard.com 184.168.131.241 true
palomachurch.com 184.168.131.241 true
timbraunmusician.com 107.180.51.23 true
parkingpage.namecheap.com 198.54.117.216 true
2000deal.com 34.102.136.180 true
gb-contracting.com 34.102.136.180 true
effectivemarketinginc.com 34.102.136.180 true
www.anygivenrunday.com 172.247.179.61 true
www.mollysmulligan.com 3.13.31.214 true
www.2000deal.com unknown unknown
www.kayandbernard.com unknown unknown
www.cats16.com unknown unknown
www.gb-contracting.com unknown unknown
www.fnatic-skins.club unknown unknown
www.benleefoto.com unknown unknown
www.effectivemarketinginc.com unknown unknown
www.donelys.com unknown unknown
www.timbraunmusician.com unknown unknown
www.palomachurch.com unknown unknown
www.web-evo.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.donelys.com/8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P true
  • Avira URL Cloud: safe
unknown
http://www.timbraunmusician.com/8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P true
  • Avira URL Cloud: safe
unknown
http://www.effectivemarketinginc.com/8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P false
  • Avira URL Cloud: safe
unknown
http://www.palomachurch.com/8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P true
  • Avira URL Cloud: safe
unknown
http://www.kayandbernard.com/8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P true
  • Avira URL Cloud: safe
unknown
http://www.2000deal.com/8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P false
  • Avira URL Cloud: safe
unknown
www.cats16.com/8u3b/ true
  • Avira URL Cloud: safe
low
http://www.gb-contracting.com/8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P false
  • Avira URL Cloud: safe
unknown
http://www.anygivenrunday.com/8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P true
  • Avira URL Cloud: safe
unknown