Windows Analysis Report mal.pif

Overview

General Information

Sample Name: mal.pif (renamed file extension from pif to exe)
Analysis ID: 452374
MD5: b9bca038d7532ec8a1a9ba0e867061bc
SHA1: 6596ac1216bf03d88482415755c499ed6388cab4
SHA256: 24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.trendtechpros.com/sm3l/"], "decoy": ["svp-india.com", "feistyflowerfarmers.com", "artprogressive.com", "thedavidweaver.com", "currentputative.life", "bluedot3dwdbuy.com", "xxxmeetme.com", "signify2.com", "converseshoes-canada.com", "schemabuilder.net", "crmcti.com", "mctrh.com", "ringroadpartners.com", "stresslesspilates.com", "directorytexas.xyz", "sarahcarver.com", "diigveda.com", "lifeliveslive.com", "inprize2020.club", "sellerbantuan-bukalapak.com", "thesawbuddy.com", "vtolworldwide.com", "montespc.com", "mylifeinpark.com", "etten-api.com", "plantersam.com", "themcg.net", "tax-account.net", "laurelhomesgroup.com", "epmconsultants.com", "air.guide", "shopfabrique.com", "publicretirementinfo.com", "diversifiedforest.com", "bodurm.com", "aphroditesspiritualshop.com", "vinowolf.com", "teja-online.com", "junion.site", "regenmedica.com", "soulfulparent.com", "elcorazondemama.com", "bench-oat.com", "abrewhomes.com", "premiocovid-19.com", "palmaunlocked.com", "bylauralittle.com", "stikepage.com", "miabogadorolon.com", "hungyivn.com", "interlacer.com", "liang831113.com", "onlinepracticebox.com", "easycookingmastermind.com", "murderofasun.tech", "mybabytennis.com", "margaritagift.com", "utx88.com", "bofengjiaoyegs.com", "reforming-toilets.xyz", "eaoaj.com", "only-king.com", "nearinn.com", "fitsportshop.com"]}
Multi AV Scanner detection for submitted file
Source: mal.exe Virustotal: Detection: 60% Perma Link
Source: mal.exe Metadefender: Detection: 20% Perma Link
Source: mal.exe ReversingLabs: Detection: 63%
Yara detected FormBook
Source: Yara match File source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: mal.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.mal.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: mal.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: mal.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.469738032.000000000466F000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe
Source: Binary string: control.pdbUGP source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.trendtechpros.com/sm3l/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtk HTTP/1.1Host: www.mybabytennis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk HTTP/1.1Host: www.sarahcarver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
Source: Joe Sandbox View IP Address: 209.99.64.55 209.99.64.55
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: global traffic HTTP traffic detected: GET /sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtk HTTP/1.1Host: www.mybabytennis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk HTTP/1.1Host: www.sarahcarver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.mybabytennis.com
Source: explorer.exe, 00000003.00000000.291630599.0000000004DF3000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mal.exe, 00000000.00000003.204191241.000000000800E000.00000004.00000001.sdmp String found in binary or memory: http://en.wikip
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.2
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: mal.exe, 00000000.00000003.204823498.0000000008008000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comi
Source: mal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comig
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: mal.exe, 00000000.00000003.204733994.0000000008008000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como.p
Source: mal.exe, 00000000.00000003.204874236.0000000008008000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comroa
Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com-mI:
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: mal.exe, 00000000.00000003.207611132.000000000800A000.00000004.00000001.sdmp, mal.exe, 00000000.00000003.207500666.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mal.exe, 00000000.00000003.209299719.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mal.exe, 00000000.00000003.208234930.000000000800A000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: mal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersP
Source: mal.exe, 00000000.00000003.209521434.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersd
Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersz
Source: mal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers~
Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalice:i
Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comalssys
Source: mal.exe, 00000000.00000003.210270469.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomF
Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomde:i
Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comde:i
Source: mal.exe, 00000000.00000003.207824329.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.come.com
Source: mal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comepko
Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comgrito
Source: mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comld9
Source: mal.exe, 00000000.00000003.207500666.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comsivo
Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comtui
Source: mal.exe, 00000000.00000003.207782523.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comuei
Source: mal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comuetow:
Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comueu
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: mal.exe, 00000000.00000003.204191241.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: mal.exe, 00000000.00000003.204496454.0000000008007000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/D
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: mal.exe, 00000000.00000003.204185338.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn0
Source: mal.exe, 00000000.00000003.204286511.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn8
Source: mal.exe, 00000000.00000003.204249088.000000000800E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cns-m_=
Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/R:
Source: mal.exe, 00000000.00000003.211735765.0000000008027000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krT
Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krn
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: mal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//
Source: mal.exe, 00000000.00000003.205652032.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/49
Source: mal.exe, 00000000.00000003.206069922.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-p
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/e:i
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/es-mI:
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/49
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/sys
Source: mal.exe, 00000000.00000003.205710785.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p
Source: mal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/sys
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/w:
Source: mal.exe, 00000000.00000003.211460680.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.p%zzm
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/All_Inclusive_Vacation_Packages.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/Best_Penny_Stocks.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoB
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/High_Speed_Internet.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lpt
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/Migraine_Pain_Relief.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lp
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/Parental_Control.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBx
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/display.cfm
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/fashion_trends.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/find_a_tutor.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1IN
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/px.js?ch=1
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/px.js?ch=2
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/sk-logabpstatus.php?a=aDNHUmh6Q0JZczhsWUF1VWNMaFBPajRtSXdZNU1RMWxXTi9ia3
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabytennis.com/sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: mal.exe, 00000000.00000003.206412694.0000000008008000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: mal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: mal.exe, 00000000.00000003.203919342.000000000800E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr-3
Source: mal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr.kr
Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krB
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.sarahcarver.com
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: http://www.sarahcarver.com/
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: mal.exe, 00000000.00000003.205252766.0000000008008000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comlic&
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deZ
Source: mal.exe, 00000000.00000003.210675196.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deeg
Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deu
Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: mal.exe, 00000000.00000003.204709826.0000000008007000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnf
Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmp String found in binary or memory: https://www.domain.com/controlpanel/domaincentral/3.0/

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00419D60 NtCreateFile, 2_2_00419D60
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00419E10 NtReadFile, 2_2_00419E10
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00419E90 NtClose, 2_2_00419E90
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00419F40 NtAllocateVirtualMemory, 2_2_00419F40
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00419E8A NtClose, 2_2_00419E8A
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00419F3B NtAllocateVirtualMemory, 2_2_00419F3B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9540 NtReadFile,LdrInitializeThunk, 15_2_045B9540
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B95D0 NtClose,LdrInitializeThunk, 15_2_045B95D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9650 NtQueryValueKey,LdrInitializeThunk, 15_2_045B9650
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_045B9660
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B96D0 NtCreateKey,LdrInitializeThunk, 15_2_045B96D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_045B96E0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9710 NtQueryInformationToken,LdrInitializeThunk, 15_2_045B9710
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9FE0 NtCreateMutant,LdrInitializeThunk, 15_2_045B9FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9780 NtMapViewOfSection,LdrInitializeThunk, 15_2_045B9780
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9840 NtDelayExecution,LdrInitializeThunk, 15_2_045B9840
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_045B9860
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_045B9910
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B99A0 NtCreateSection,LdrInitializeThunk, 15_2_045B99A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9A50 NtCreateFile,LdrInitializeThunk, 15_2_045B9A50
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9560 NtWriteFile, 15_2_045B9560
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045BAD30 NtSetContextThread, 15_2_045BAD30
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9520 NtWaitForSingleObject, 15_2_045B9520
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B95F0 NtQueryInformationFile, 15_2_045B95F0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9670 NtQueryInformationProcess, 15_2_045B9670
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9610 NtEnumerateValueKey, 15_2_045B9610
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045BA770 NtOpenThread, 15_2_045BA770
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9770 NtSetInformationFile, 15_2_045B9770
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9760 NtOpenProcess, 15_2_045B9760
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045BA710 NtOpenProcessToken, 15_2_045BA710
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9730 NtQueryVirtualMemory, 15_2_045B9730
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B97A0 NtUnmapViewOfSection, 15_2_045B97A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045BB040 NtSuspendThread, 15_2_045BB040
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9820 NtEnumerateKey, 15_2_045B9820
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B98F0 NtReadVirtualMemory, 15_2_045B98F0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B98A0 NtWriteVirtualMemory, 15_2_045B98A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9950 NtQueueApcThread, 15_2_045B9950
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B99D0 NtCreateProcessEx, 15_2_045B99D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9A10 NtQuerySection, 15_2_045B9A10
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9A00 NtProtectVirtualMemory, 15_2_045B9A00
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9A20 NtResumeThread, 15_2_045B9A20
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9A80 NtOpenDirectoryObject, 15_2_045B9A80
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B9B00 NtSetValueKey, 15_2_045B9B00
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045BA3B0 NtGetContextThread, 15_2_045BA3B0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03029F40 NtAllocateVirtualMemory, 15_2_03029F40
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03029E10 NtReadFile, 15_2_03029E10
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03029E90 NtClose, 15_2_03029E90
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03029D60 NtCreateFile, 15_2_03029D60
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03029F3B NtAllocateVirtualMemory, 15_2_03029F3B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03029E8A NtClose, 15_2_03029E8A
Detected potential crypto function
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041D14B 2_2_0041D14B
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041E224 2_2_0041E224
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00409E40 2_2_00409E40
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00409E3B 2_2_00409E3B
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041E6AC 2_2_0041E6AC
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041DFC7 2_2_0041DFC7
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463D466 15_2_0463D466
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458841F 15_2_0458841F
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04641D55 15_2_04641D55
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04642D07 15_2_04642D07
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04570D20 15_2_04570D20
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458D5E0 15_2_0458D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046425DD 15_2_046425DD
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2581 15_2_045A2581
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04596E30 15_2_04596E30
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463D616 15_2_0463D616
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04642EF7 15_2_04642EF7
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04641FF1 15_2_04641FF1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0464DFCE 15_2_0464DFCE
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0464E824 15_2_0464E824
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631002 15_2_04631002
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046428EC 15_2_046428EC
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458B090 15_2_0458B090
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046420A8 15_2_046420A8
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A20A0 15_2_045A20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457F900 15_2_0457F900
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04594120 15_2_04594120
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046422AE 15_2_046422AE
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04642B28 15_2_04642B28
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463DBD2 15_2_0463DBD2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046303DA 15_2_046303DA
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AEBB0 15_2_045AEBB0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0302E224 15_2_0302E224
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03012FB0 15_2_03012FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0302DFC7 15_2_0302DFC7
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03019E3B 15_2_03019E3B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03019E40 15_2_03019E40
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0302E6AC 15_2_0302E6AC
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03012D87 15_2_03012D87
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_03012D90 15_2_03012D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0457B150 appears 45 times
Sample file is different than original file name gathered from version info
Source: mal.exe Binary or memory string: OriginalFilename vs mal.exe
Source: mal.exe, 00000002.00000002.303382209.0000000001281000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs mal.exe
Source: mal.exe, 00000002.00000002.304248088.000000000193F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs mal.exe
Source: mal.exe Binary or memory string: OriginalFilenameObjectEqualityCompar.exe8 vs mal.exe
Uses 32bit PE files
Source: mal.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: mal.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@2/2
Source: C:\Users\user\Desktop\mal.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mal.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_01
Source: mal.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mal.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: mal.exe Virustotal: Detection: 60%
Source: mal.exe Metadefender: Detection: 20%
Source: mal.exe ReversingLabs: Detection: 63%
Source: unknown Process created: C:\Users\user\Desktop\mal.exe 'C:\Users\user\Desktop\mal.exe'
Source: C:\Users\user\Desktop\mal.exe Process created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mal.exe Process created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe' Jump to behavior
Source: C:\Users\user\Desktop\mal.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: mal.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: mal.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.469738032.000000000466F000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe
Source: Binary string: control.pdbUGP source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041CEB5 push eax; ret 2_2_0041CF08
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041CF6C push eax; ret 2_2_0041CF72
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041CF02 push eax; ret 2_2_0041CF08
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0041CF0B push eax; ret 2_2_0041CF72
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00A97535 push esp; retf 2_2_00A97554
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045CD0D1 push ecx; ret 15_2_045CD0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0302CF02 push eax; ret 15_2_0302CF08
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0302CF0B push eax; ret 15_2_0302CF72
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0302CF6C push eax; ret 15_2_0302CF72
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0302CEB5 push eax; ret 15_2_0302CF08
Source: initial sample Static PE information: section name: .text entropy: 7.85599061274

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEE
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\mal.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mal.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000030198E4 second address: 00000000030198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 0000000003019B5E second address: 0000000003019B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\mal.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\mal.exe TID: 6020 Thread sleep time: -54846s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\mal.exe TID: 412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4840 Thread sleep time: -38000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1320 Thread sleep time: -35000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\mal.exe Thread delayed: delay time: 54846 Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000003.00000000.254840052.0000000001398000.00000004.00000020.sdmp Binary or memory string: War&Prod_VMware_SATAR
Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.273881536.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.292643668.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.274403765.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000003.00000000.264498703.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\mal.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\mal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\mal.exe Code function: 2_2_0040ACD0 LdrLoadDll, 2_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AA44B mov eax, dword ptr fs:[00000030h] 15_2_045AA44B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460C450 mov eax, dword ptr fs:[00000030h] 15_2_0460C450
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460C450 mov eax, dword ptr fs:[00000030h] 15_2_0460C450
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459746D mov eax, dword ptr fs:[00000030h] 15_2_0459746D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h] 15_2_045F6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h] 15_2_045F6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h] 15_2_045F6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h] 15_2_045F6C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h] 15_2_04631C06
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0464740D mov eax, dword ptr fs:[00000030h] 15_2_0464740D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0464740D mov eax, dword ptr fs:[00000030h] 15_2_0464740D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0464740D mov eax, dword ptr fs:[00000030h] 15_2_0464740D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045ABC2C mov eax, dword ptr fs:[00000030h] 15_2_045ABC2C
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046314FB mov eax, dword ptr fs:[00000030h] 15_2_046314FB
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 15_2_045F6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 15_2_045F6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 15_2_045F6CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04648CD6 mov eax, dword ptr fs:[00000030h] 15_2_04648CD6
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458849B mov eax, dword ptr fs:[00000030h] 15_2_0458849B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04597D50 mov eax, dword ptr fs:[00000030h] 15_2_04597D50
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B3D43 mov eax, dword ptr fs:[00000030h] 15_2_045B3D43
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F3540 mov eax, dword ptr fs:[00000030h] 15_2_045F3540
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04623D40 mov eax, dword ptr fs:[00000030h] 15_2_04623D40
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459C577 mov eax, dword ptr fs:[00000030h] 15_2_0459C577
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459C577 mov eax, dword ptr fs:[00000030h] 15_2_0459C577
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04648D34 mov eax, dword ptr fs:[00000030h] 15_2_04648D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463E539 mov eax, dword ptr fs:[00000030h] 15_2_0463E539
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A4D3B mov eax, dword ptr fs:[00000030h] 15_2_045A4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A4D3B mov eax, dword ptr fs:[00000030h] 15_2_045A4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A4D3B mov eax, dword ptr fs:[00000030h] 15_2_045A4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457AD30 mov eax, dword ptr fs:[00000030h] 15_2_0457AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045FA537 mov eax, dword ptr fs:[00000030h] 15_2_045FA537
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04583D34 mov eax, dword ptr fs:[00000030h] 15_2_04583D34
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0463FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0463FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0463FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 15_2_0463FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04628DF1 mov eax, dword ptr fs:[00000030h] 15_2_04628DF1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 15_2_045F6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 15_2_045F6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 15_2_045F6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6DC9 mov ecx, dword ptr fs:[00000030h] 15_2_045F6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 15_2_045F6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 15_2_045F6DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458D5E0 mov eax, dword ptr fs:[00000030h] 15_2_0458D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458D5E0 mov eax, dword ptr fs:[00000030h] 15_2_0458D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AFD9B mov eax, dword ptr fs:[00000030h] 15_2_045AFD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AFD9B mov eax, dword ptr fs:[00000030h] 15_2_045AFD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046405AC mov eax, dword ptr fs:[00000030h] 15_2_046405AC
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046405AC mov eax, dword ptr fs:[00000030h] 15_2_046405AC
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h] 15_2_045A2581
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h] 15_2_045A2581
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h] 15_2_045A2581
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2581 mov eax, dword ptr fs:[00000030h] 15_2_045A2581
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h] 15_2_04572D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h] 15_2_04572D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h] 15_2_04572D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h] 15_2_04572D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04572D8A mov eax, dword ptr fs:[00000030h] 15_2_04572D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 15_2_045A1DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 15_2_045A1DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 15_2_045A1DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A35A1 mov eax, dword ptr fs:[00000030h] 15_2_045A35A1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h] 15_2_04587E41
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h] 15_2_04587E41
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h] 15_2_04587E41
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h] 15_2_04587E41
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h] 15_2_04587E41
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04587E41 mov eax, dword ptr fs:[00000030h] 15_2_04587E41
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463AE44 mov eax, dword ptr fs:[00000030h] 15_2_0463AE44
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463AE44 mov eax, dword ptr fs:[00000030h] 15_2_0463AE44
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h] 15_2_0459AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h] 15_2_0459AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h] 15_2_0459AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h] 15_2_0459AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459AE73 mov eax, dword ptr fs:[00000030h] 15_2_0459AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458766D mov eax, dword ptr fs:[00000030h] 15_2_0458766D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AA61C mov eax, dword ptr fs:[00000030h] 15_2_045AA61C
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AA61C mov eax, dword ptr fs:[00000030h] 15_2_045AA61C
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457C600 mov eax, dword ptr fs:[00000030h] 15_2_0457C600
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457C600 mov eax, dword ptr fs:[00000030h] 15_2_0457C600
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457C600 mov eax, dword ptr fs:[00000030h] 15_2_0457C600
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A8E00 mov eax, dword ptr fs:[00000030h] 15_2_045A8E00
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0462FE3F mov eax, dword ptr fs:[00000030h] 15_2_0462FE3F
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04631608 mov eax, dword ptr fs:[00000030h] 15_2_04631608
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457E620 mov eax, dword ptr fs:[00000030h] 15_2_0457E620
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A36CC mov eax, dword ptr fs:[00000030h] 15_2_045A36CC
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B8EC7 mov eax, dword ptr fs:[00000030h] 15_2_045B8EC7
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0462FEC0 mov eax, dword ptr fs:[00000030h] 15_2_0462FEC0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04648ED6 mov eax, dword ptr fs:[00000030h] 15_2_04648ED6
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A16E0 mov ecx, dword ptr fs:[00000030h] 15_2_045A16E0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045876E2 mov eax, dword ptr fs:[00000030h] 15_2_045876E2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04640EA5 mov eax, dword ptr fs:[00000030h] 15_2_04640EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04640EA5 mov eax, dword ptr fs:[00000030h] 15_2_04640EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04640EA5 mov eax, dword ptr fs:[00000030h] 15_2_04640EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460FE87 mov eax, dword ptr fs:[00000030h] 15_2_0460FE87
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F46A7 mov eax, dword ptr fs:[00000030h] 15_2_045F46A7
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04648F6A mov eax, dword ptr fs:[00000030h] 15_2_04648F6A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458EF40 mov eax, dword ptr fs:[00000030h] 15_2_0458EF40
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458FF60 mov eax, dword ptr fs:[00000030h] 15_2_0458FF60
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459F716 mov eax, dword ptr fs:[00000030h] 15_2_0459F716
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AA70E mov eax, dword ptr fs:[00000030h] 15_2_045AA70E
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AA70E mov eax, dword ptr fs:[00000030h] 15_2_045AA70E
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0464070D mov eax, dword ptr fs:[00000030h] 15_2_0464070D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0464070D mov eax, dword ptr fs:[00000030h] 15_2_0464070D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AE730 mov eax, dword ptr fs:[00000030h] 15_2_045AE730
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460FF10 mov eax, dword ptr fs:[00000030h] 15_2_0460FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460FF10 mov eax, dword ptr fs:[00000030h] 15_2_0460FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04574F2E mov eax, dword ptr fs:[00000030h] 15_2_04574F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04574F2E mov eax, dword ptr fs:[00000030h] 15_2_04574F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B37F5 mov eax, dword ptr fs:[00000030h] 15_2_045B37F5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F7794 mov eax, dword ptr fs:[00000030h] 15_2_045F7794
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F7794 mov eax, dword ptr fs:[00000030h] 15_2_045F7794
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F7794 mov eax, dword ptr fs:[00000030h] 15_2_045F7794
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04588794 mov eax, dword ptr fs:[00000030h] 15_2_04588794
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04590050 mov eax, dword ptr fs:[00000030h] 15_2_04590050
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04590050 mov eax, dword ptr fs:[00000030h] 15_2_04590050
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04632073 mov eax, dword ptr fs:[00000030h] 15_2_04632073
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04641074 mov eax, dword ptr fs:[00000030h] 15_2_04641074
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F7016 mov eax, dword ptr fs:[00000030h] 15_2_045F7016
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F7016 mov eax, dword ptr fs:[00000030h] 15_2_045F7016
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F7016 mov eax, dword ptr fs:[00000030h] 15_2_045F7016
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04644015 mov eax, dword ptr fs:[00000030h] 15_2_04644015
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04644015 mov eax, dword ptr fs:[00000030h] 15_2_04644015
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h] 15_2_0458B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h] 15_2_0458B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h] 15_2_0458B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458B02A mov eax, dword ptr fs:[00000030h] 15_2_0458B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A002D mov eax, dword ptr fs:[00000030h] 15_2_045A002D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A002D mov eax, dword ptr fs:[00000030h] 15_2_045A002D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A002D mov eax, dword ptr fs:[00000030h] 15_2_045A002D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A002D mov eax, dword ptr fs:[00000030h] 15_2_045A002D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A002D mov eax, dword ptr fs:[00000030h] 15_2_045A002D
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0460B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460B8D0 mov ecx, dword ptr fs:[00000030h] 15_2_0460B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0460B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0460B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0460B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0460B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045740E1 mov eax, dword ptr fs:[00000030h] 15_2_045740E1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045740E1 mov eax, dword ptr fs:[00000030h] 15_2_045740E1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045740E1 mov eax, dword ptr fs:[00000030h] 15_2_045740E1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045758EC mov eax, dword ptr fs:[00000030h] 15_2_045758EC
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579080 mov eax, dword ptr fs:[00000030h] 15_2_04579080
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F3884 mov eax, dword ptr fs:[00000030h] 15_2_045F3884
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F3884 mov eax, dword ptr fs:[00000030h] 15_2_045F3884
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AF0BF mov ecx, dword ptr fs:[00000030h] 15_2_045AF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AF0BF mov eax, dword ptr fs:[00000030h] 15_2_045AF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AF0BF mov eax, dword ptr fs:[00000030h] 15_2_045AF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B90AF mov eax, dword ptr fs:[00000030h] 15_2_045B90AF
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h] 15_2_045A20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h] 15_2_045A20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h] 15_2_045A20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h] 15_2_045A20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h] 15_2_045A20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A20A0 mov eax, dword ptr fs:[00000030h] 15_2_045A20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459B944 mov eax, dword ptr fs:[00000030h] 15_2_0459B944
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459B944 mov eax, dword ptr fs:[00000030h] 15_2_0459B944
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457B171 mov eax, dword ptr fs:[00000030h] 15_2_0457B171
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457B171 mov eax, dword ptr fs:[00000030h] 15_2_0457B171
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457C962 mov eax, dword ptr fs:[00000030h] 15_2_0457C962
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579100 mov eax, dword ptr fs:[00000030h] 15_2_04579100
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579100 mov eax, dword ptr fs:[00000030h] 15_2_04579100
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579100 mov eax, dword ptr fs:[00000030h] 15_2_04579100
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A513A mov eax, dword ptr fs:[00000030h] 15_2_045A513A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A513A mov eax, dword ptr fs:[00000030h] 15_2_045A513A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04594120 mov eax, dword ptr fs:[00000030h] 15_2_04594120
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04594120 mov eax, dword ptr fs:[00000030h] 15_2_04594120
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04594120 mov eax, dword ptr fs:[00000030h] 15_2_04594120
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04594120 mov eax, dword ptr fs:[00000030h] 15_2_04594120
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04594120 mov ecx, dword ptr fs:[00000030h] 15_2_04594120
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046041E8 mov eax, dword ptr fs:[00000030h] 15_2_046041E8
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0457B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0457B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457B1E1 mov eax, dword ptr fs:[00000030h] 15_2_0457B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h] 15_2_046349A4
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h] 15_2_046349A4
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h] 15_2_046349A4
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_046349A4 mov eax, dword ptr fs:[00000030h] 15_2_046349A4
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2990 mov eax, dword ptr fs:[00000030h] 15_2_045A2990
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459C182 mov eax, dword ptr fs:[00000030h] 15_2_0459C182
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AA185 mov eax, dword ptr fs:[00000030h] 15_2_045AA185
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h] 15_2_045F51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h] 15_2_045F51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h] 15_2_045F51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F51BE mov eax, dword ptr fs:[00000030h] 15_2_045F51BE
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F69A6 mov eax, dword ptr fs:[00000030h] 15_2_045F69A6
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A61A0 mov eax, dword ptr fs:[00000030h] 15_2_045A61A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A61A0 mov eax, dword ptr fs:[00000030h] 15_2_045A61A0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0462B260 mov eax, dword ptr fs:[00000030h] 15_2_0462B260
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0462B260 mov eax, dword ptr fs:[00000030h] 15_2_0462B260
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04648A62 mov eax, dword ptr fs:[00000030h] 15_2_04648A62
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579240 mov eax, dword ptr fs:[00000030h] 15_2_04579240
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579240 mov eax, dword ptr fs:[00000030h] 15_2_04579240
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579240 mov eax, dword ptr fs:[00000030h] 15_2_04579240
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04579240 mov eax, dword ptr fs:[00000030h] 15_2_04579240
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B927A mov eax, dword ptr fs:[00000030h] 15_2_045B927A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463EA55 mov eax, dword ptr fs:[00000030h] 15_2_0463EA55
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04604257 mov eax, dword ptr fs:[00000030h] 15_2_04604257
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457AA16 mov eax, dword ptr fs:[00000030h] 15_2_0457AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457AA16 mov eax, dword ptr fs:[00000030h] 15_2_0457AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04593A1C mov eax, dword ptr fs:[00000030h] 15_2_04593A1C
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04575210 mov eax, dword ptr fs:[00000030h] 15_2_04575210
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04575210 mov ecx, dword ptr fs:[00000030h] 15_2_04575210
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04575210 mov eax, dword ptr fs:[00000030h] 15_2_04575210
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04575210 mov eax, dword ptr fs:[00000030h] 15_2_04575210
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04588A0A mov eax, dword ptr fs:[00000030h] 15_2_04588A0A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463AA16 mov eax, dword ptr fs:[00000030h] 15_2_0463AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463AA16 mov eax, dword ptr fs:[00000030h] 15_2_0463AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B4A2C mov eax, dword ptr fs:[00000030h] 15_2_045B4A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045B4A2C mov eax, dword ptr fs:[00000030h] 15_2_045B4A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2ACB mov eax, dword ptr fs:[00000030h] 15_2_045A2ACB
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2AE4 mov eax, dword ptr fs:[00000030h] 15_2_045A2AE4
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AD294 mov eax, dword ptr fs:[00000030h] 15_2_045AD294
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AD294 mov eax, dword ptr fs:[00000030h] 15_2_045AD294
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458AAB0 mov eax, dword ptr fs:[00000030h] 15_2_0458AAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0458AAB0 mov eax, dword ptr fs:[00000030h] 15_2_0458AAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AFAB0 mov eax, dword ptr fs:[00000030h] 15_2_045AFAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h] 15_2_045752A5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h] 15_2_045752A5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h] 15_2_045752A5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h] 15_2_045752A5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045752A5 mov eax, dword ptr fs:[00000030h] 15_2_045752A5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457F358 mov eax, dword ptr fs:[00000030h] 15_2_0457F358
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457DB40 mov eax, dword ptr fs:[00000030h] 15_2_0457DB40
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A3B7A mov eax, dword ptr fs:[00000030h] 15_2_045A3B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A3B7A mov eax, dword ptr fs:[00000030h] 15_2_045A3B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0457DB60 mov ecx, dword ptr fs:[00000030h] 15_2_0457DB60
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04648B58 mov eax, dword ptr fs:[00000030h] 15_2_04648B58
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463131B mov eax, dword ptr fs:[00000030h] 15_2_0463131B
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F53CA mov eax, dword ptr fs:[00000030h] 15_2_045F53CA
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045F53CA mov eax, dword ptr fs:[00000030h] 15_2_045F53CA
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0459DBE9 mov eax, dword ptr fs:[00000030h] 15_2_0459DBE9
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h] 15_2_045A03E2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h] 15_2_045A03E2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h] 15_2_045A03E2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h] 15_2_045A03E2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h] 15_2_045A03E2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A03E2 mov eax, dword ptr fs:[00000030h] 15_2_045A03E2
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04645BA5 mov eax, dword ptr fs:[00000030h] 15_2_04645BA5
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045AB390 mov eax, dword ptr fs:[00000030h] 15_2_045AB390
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A2397 mov eax, dword ptr fs:[00000030h] 15_2_045A2397
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04581B8F mov eax, dword ptr fs:[00000030h] 15_2_04581B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_04581B8F mov eax, dword ptr fs:[00000030h] 15_2_04581B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0462D380 mov ecx, dword ptr fs:[00000030h] 15_2_0462D380
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_0463138A mov eax, dword ptr fs:[00000030h] 15_2_0463138A
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A4BAD mov eax, dword ptr fs:[00000030h] 15_2_045A4BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A4BAD mov eax, dword ptr fs:[00000030h] 15_2_045A4BAD
Source: C:\Windows\SysWOW64\control.exe Code function: 15_2_045A4BAD mov eax, dword ptr fs:[00000030h] 15_2_045A4BAD
Enables debug privileges
Source: C:\Users\user\Desktop\mal.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.99.64.55 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.mybabytennis.com
Source: C:\Windows\explorer.exe Domain query: www.sarahcarver.com
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\mal.exe Memory written: C:\Users\user\Desktop\mal.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\mal.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\mal.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\mal.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\mal.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 110000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mal.exe Process created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe' Jump to behavior
Source: explorer.exe, 00000003.00000000.254840052.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000003.00000000.255111932.0000000001980000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.267754252.0000000006860000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.255111932.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.255111932.0000000001980000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Users\user\Desktop\mal.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\mal.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs