Windows Analysis Report TPJX2QwEdXs5sTV.exe

Overview

General Information

Sample Name: TPJX2QwEdXs5sTV.exe
Analysis ID: 483640
MD5: ce556ce97ea23cbc2940f2aad45d468f
SHA1: cc2bdaefa2f0ac108e2f456e42a42e8258580cf4
SHA256: 7c3d5ebd2c417a52b2a0b98dee95b5a7f283816f6a2453ceeffd31becc140882
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.438451.com/t75f/"], "decoy": ["ice-lemon.pro", "ar3spro.cloud", "9055837.com", "fucksociety.net", "prettyofficialx.com", "mfxw.xyz", "relationshipquiz.info", "customia.xyz", "juanayjuan.com", "zidiankj.com", "facture-booking.com", "secondmining.store", "aboutyou.club", "gongxichen.com", "laurabraincreative.com", "pierrot-bros.com", "saintpaulaccountingservices.com", "dom-maya.com", "garderobamarzen.net", "la-salamandre-assurances.com", "pearmanprep.com", "telfarcontrol.com", "productsshareco.com", "cirf2021.online", "purchasevip.com", "cakewalkvision.com", "pointrenewables.com", "groups4n.com", "swnegce.xyz", "tjapro.com", "packagedesign.biz", "services-govgr.cloud", "shopgrassfedbeef.com", "tquilaint.com", "templetreemontessori.com", "munortiete.com", "nothingbutspotlesss.com", "fanpaixiu.xyz", "fr-site-amazon.com", "salartfinance.com", "beachers-shop.com", "friskvardaportalen.online", "pinsanova.site", "lemonvinyl.online", "indianadogeavaxsite.site", "styphon.com", "open24review-service.com", "bdjh9.xyz", "cocodiesel.com", "fortmyersfl.deals", "dsdtourism.com", "phone-il.net", "learningfactoryus.com", "incentreward.xyz", "travellerfund.com", "changcheng.pro", "cryptowalletts.com", "tradopplst.xyz", "autonomoustechnologyinc.com", "assessmentdna.xyz", "denicon-th.com", "dib5so.com", "genwealthbuilders.store", "delnetitcilo.net"]}
Multi AV Scanner detection for submitted file
Source: TPJX2QwEdXs5sTV.exe ReversingLabs: Detection: 17%
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: TPJX2QwEdXs5sTV.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: TPJX2QwEdXs5sTV.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.390723041.000000000105F000.00000040.00000001.sdmp, cmd.exe, 00000017.00000002.518459422.000000000369F000.00000040.00000001.sdmp
Source: Binary string: cmd.pdbUGP source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe, 00000017.00000002.511566191.0000000000870000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmd.exe
Source: Binary string: RegSvcs.pdb source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
Source: Binary string: cmd.pdb source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 23_2_0087B89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008868BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 23_2_008868BA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0088245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 23_2_0088245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008931DC FindFirstFileW,FindNextFileW,FindClose, 23_2_008931DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008785EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 23_2_008785EA

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 6_2_004162C7

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ice-lemon.pro
Source: C:\Windows\explorer.exe Domain query: www.indianadogeavaxsite.site
Source: C:\Windows\explorer.exe Domain query: www.munortiete.com
Source: C:\Windows\explorer.exe Domain query: www.pierrot-bros.com
Source: C:\Windows\explorer.exe Network Connect: 54.194.41.141 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.147.111 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: DNS query: www.fanpaixiu.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.438451.com/t75f/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.indianadogeavaxsite.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.munortiete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.247036337.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://en.w
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246382239.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.246270583.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.comj
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlh
Source: explorer.exe, 00000008.00000000.308790689.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252313565.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com)
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com-se
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com0
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com?
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comMic
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comTCd
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252658676.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coma
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252394694.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comak
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252349501.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comd
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comexc
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252434713.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml-g
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252560675.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml-se
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como._
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comof
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252225171.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comona
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comue
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252876215.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comypoC
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257664415.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.257568508.0000000006041000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256412762.0000000006041000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256690000.0000000006041000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/0
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258643842.000000000605E000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258314127.000000000605E000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.258167734.0000000006041000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers0.
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.258749887.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers3
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259100620.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersD
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256499107.0000000006041000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersH
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251297242.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn(
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251510361.0000000006040000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn0
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cncom
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.251577185.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnicr
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.262778713.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.260576945.000000000603B000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kX
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250685229.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr-cY
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250819017.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krV
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.260424917.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype.
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.245363117.0000000006022000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comt
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253704425.0000000006043000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com3
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.253864499.0000000006043000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com9
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.250514753.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kra-e#
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.252797134.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252833728.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comw
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.259240750.0000000006047000.00000004.00000001.sdmp, TPJX2QwEdXs5sTV.exe, 00000001.00000003.256166829.0000000006041000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.256226500.0000000006041000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deA
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.284564270.0000000007232000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn0
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cncom
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnk
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.E
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252524764.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cno.U
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000003.252145677.000000000603B000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnue
Source: cmd.exe, 00000017.00000002.521651760.0000000003C32000.00000004.00020000.sdmp String found in binary or memory: https://www.438451.com/t75f/?IL3h=1BeMm2dWByn9xv9J99R2XzKkk0MJMO8GKUMNYM3ZZNvYMz7ACarE0KIXHaUrAW4HLV
Source: unknown DNS traffic detected: queries for: www.ice-lemon.pro
Source: global traffic HTTP traffic detected: GET /t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.indianadogeavaxsite.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /t75f/?IL3h=1LVEWTKjgk7dQQTcgX7ekf6vWGvALEiRfuym9xfNfV6ZlhpaQ60NuXtsMiMogZeeqS9jy4XPVA==&_hN0=5jFT8RbH3tHLZn HTTP/1.1Host: www.munortiete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.280628910.0000000001448000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: TPJX2QwEdXs5sTV.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA2068 1_2_04FA2068
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA4190 1_2_04FA4190
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA28D0 1_2_04FA28D0
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA28CE 1_2_04FA28CE
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA2059 1_2_04FA2059
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA2510 1_2_04FA2510
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA6D08 1_2_04FA6D08
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA2501 1_2_04FA2501
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA2ACF 1_2_04FA2ACF
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA0388 1_2_04FA0388
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA037A 1_2_04FA037A
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_04FA2B0F 1_2_04FA2B0F
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_054CE5CA 1_2_054CE5CA
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_054CE5D8 1_2_054CE5D8
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Code function: 1_2_054CBC34 1_2_054CBC34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00401027 6_2_00401027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041C94A 6_2_0041C94A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041BB99 6_2_0041BB99
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00408C60 6_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041A6AA 6_2_0041A6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7B090 6_2_00F7B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021002 6_2_01021002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F84120 6_2_00F84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6F900 6_2_00F6F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9EBB0 6_2_00F9EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01031D55 6_2_01031D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F60D20 6_2_00F60D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F86E30 6_2_00F86E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008748E6 23_2_008748E6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00895CEA 23_2_00895CEA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00879CF0 23_2_00879CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087D803 23_2_0087D803
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087E040 23_2_0087E040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00877190 23_2_00877190
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008931DC 23_2_008931DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00893506 23_2_00893506
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00886550 23_2_00886550
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00881969 23_2_00881969
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00878AD7 23_2_00878AD7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00875226 23_2_00875226
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087FA30 23_2_0087FA30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00875E70 23_2_00875E70
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00885FC8 23_2_00885FC8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00896FF0 23_2_00896FF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087CB48 23_2_0087CB48
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DEBB0 23_2_035DEBB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C6E30 23_2_035C6E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03671D55 23_2_03671D55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AF900 23_2_035AF900
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A0D20 23_2_035A0D20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C4120 23_2_035C4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BD5E0 23_2_035BD5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B841F 23_2_035B841F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661002 23_2_03661002
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BB090 23_2_035BB090
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 035AB150 appears 32 times
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0088374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle, 23_2_0088374E
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_004185C0 NtCreateFile, 6_2_004185C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00418670 NtReadFile, 6_2_00418670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_004186F0 NtClose, 6_2_004186F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_004187A0 NtAllocateVirtualMemory, 6_2_004187A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041866C NtReadFile, 6_2_0041866C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_004186EA NtClose, 6_2_004186EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA98F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_00FA98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_00FA9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9840 NtDelayExecution,LdrInitializeThunk, 6_2_00FA9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA99A0 NtCreateSection,LdrInitializeThunk, 6_2_00FA99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_00FA9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9A50 NtCreateFile,LdrInitializeThunk, 6_2_00FA9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9A20 NtResumeThread,LdrInitializeThunk, 6_2_00FA9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_00FA9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA95D0 NtClose,LdrInitializeThunk, 6_2_00FA95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9540 NtReadFile,LdrInitializeThunk, 6_2_00FA9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_00FA96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_00FA9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9FE0 NtCreateMutant,LdrInitializeThunk, 6_2_00FA9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA97A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_00FA97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9780 NtMapViewOfSection,LdrInitializeThunk, 6_2_00FA9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9710 NtQueryInformationToken,LdrInitializeThunk, 6_2_00FA9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA98A0 NtWriteVirtualMemory, 6_2_00FA98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FAB040 NtSuspendThread, 6_2_00FAB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9820 NtEnumerateKey, 6_2_00FA9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA99D0 NtCreateProcessEx, 6_2_00FA99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9950 NtQueueApcThread, 6_2_00FA9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9A80 NtOpenDirectoryObject, 6_2_00FA9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9A10 NtQuerySection, 6_2_00FA9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FAA3B0 NtGetContextThread, 6_2_00FAA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9B00 NtSetValueKey, 6_2_00FA9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA95F0 NtQueryInformationFile, 6_2_00FA95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9560 NtWriteFile, 6_2_00FA9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FAAD30 NtSetContextThread, 6_2_00FAAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9520 NtWaitForSingleObject, 6_2_00FA9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA96D0 NtCreateKey, 6_2_00FA96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9670 NtQueryInformationProcess, 6_2_00FA9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9650 NtQueryValueKey, 6_2_00FA9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9610 NtEnumerateValueKey, 6_2_00FA9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9770 NtSetInformationFile, 6_2_00FA9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FAA770 NtOpenThread, 6_2_00FAA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9760 NtOpenProcess, 6_2_00FA9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA9730 NtQueryVirtualMemory, 6_2_00FA9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FAA710 NtOpenProcessToken, 6_2_00FAA710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008758A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 23_2_008758A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008784BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 23_2_008784BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087B4C0 NtQueryInformationToken, 23_2_0087B4C0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087B4F8 NtQueryInformationToken,NtQueryInformationToken, 23_2_0087B4F8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087B42E NtOpenThreadToken,NtOpenProcessToken,NtClose, 23_2_0087B42E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00896D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 23_2_00896D90
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0089B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 23_2_0089B5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00899AB4 NtSetInformationFile, 23_2_00899AB4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008783F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 23_2_008783F2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9710 NtQueryInformationToken,LdrInitializeThunk, 23_2_035E9710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9FE0 NtCreateMutant,LdrInitializeThunk, 23_2_035E9FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9780 NtMapViewOfSection,LdrInitializeThunk, 23_2_035E9780
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9A50 NtCreateFile,LdrInitializeThunk, 23_2_035E9A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E96D0 NtCreateKey,LdrInitializeThunk, 23_2_035E96D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 23_2_035E96E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9540 NtReadFile,LdrInitializeThunk, 23_2_035E9540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 23_2_035E9910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E95D0 NtClose,LdrInitializeThunk, 23_2_035E95D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E99A0 NtCreateSection,LdrInitializeThunk, 23_2_035E99A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9840 NtDelayExecution,LdrInitializeThunk, 23_2_035E9840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9860 NtQuerySystemInformation,LdrInitializeThunk, 23_2_035E9860
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9770 NtSetInformationFile, 23_2_035E9770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035EA770 NtOpenThread, 23_2_035EA770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9760 NtOpenProcess, 23_2_035E9760
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035EA710 NtOpenProcessToken, 23_2_035EA710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9B00 NtSetValueKey, 23_2_035E9B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9730 NtQueryVirtualMemory, 23_2_035E9730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035EA3B0 NtGetContextThread, 23_2_035EA3B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E97A0 NtUnmapViewOfSection, 23_2_035E97A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9650 NtQueryValueKey, 23_2_035E9650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9670 NtQueryInformationProcess, 23_2_035E9670
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9660 NtAllocateVirtualMemory, 23_2_035E9660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9610 NtEnumerateValueKey, 23_2_035E9610
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9A10 NtQuerySection, 23_2_035E9A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9A00 NtProtectVirtualMemory, 23_2_035E9A00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9A20 NtResumeThread, 23_2_035E9A20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9A80 NtOpenDirectoryObject, 23_2_035E9A80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9950 NtQueueApcThread, 23_2_035E9950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9560 NtWriteFile, 23_2_035E9560
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035EAD30 NtSetContextThread, 23_2_035EAD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9520 NtWaitForSingleObject, 23_2_035E9520
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E99D0 NtCreateProcessEx, 23_2_035E99D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E95F0 NtQueryInformationFile, 23_2_035E95F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035EB040 NtSuspendThread, 23_2_035EB040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E9820 NtEnumerateKey, 23_2_035E9820
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E98F0 NtReadVirtualMemory, 23_2_035E98F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E98A0 NtWriteVirtualMemory, 23_2_035E98A0
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00886550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 23_2_00886550
Sample file is different than original file name gathered from version info
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000000.242394304.0000000000D72000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBINDOP.exeh$ vs TPJX2QwEdXs5sTV.exe
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.280628910.0000000001448000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs TPJX2QwEdXs5sTV.exe
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs TPJX2QwEdXs5sTV.exe
Source: TPJX2QwEdXs5sTV.exe Binary or memory string: OriginalFilenameBINDOP.exeh$ vs TPJX2QwEdXs5sTV.exe
PE file contains strange resources
Source: TPJX2QwEdXs5sTV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPJX2QwEdXs5sTV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPJX2QwEdXs5sTV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: TPJX2QwEdXs5sTV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: TPJX2QwEdXs5sTV.exe ReversingLabs: Detection: 17%
Source: TPJX2QwEdXs5sTV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe 'C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe'
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TPJX2QwEdXs5sTV.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/1@7/3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0089A0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z, 23_2_0089A0D2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit, 23_2_0087C5CA
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Mutant created: \Sessions\1\BaseNamedObjects\kSLmFPbu
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4116:120:WilError_01
Source: TPJX2QwEdXs5sTV.exe, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TPJX2QwEdXs5sTV.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TPJX2QwEdXs5sTV.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: RegSvcs.pdb, source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.390723041.000000000105F000.00000040.00000001.sdmp, cmd.exe, 00000017.00000002.518459422.000000000369F000.00000040.00000001.sdmp
Source: Binary string: cmd.pdbUGP source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe, 00000017.00000002.511566191.0000000000870000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmd.exe
Source: Binary string: RegSvcs.pdb source: cmd.exe, 00000017.00000002.521600812.0000000003AB7000.00000004.00020000.sdmp
Source: Binary string: cmd.pdb source: RegSvcs.exe, 00000006.00000002.391607663.0000000002EB0000.00000040.00020000.sdmp, cmd.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: TPJX2QwEdXs5sTV.exe, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.TPJX2QwEdXs5sTV.exe.cd0000.0.unpack, u0003u2001.cs .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041B86C push eax; ret 6_2_0041B872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041B802 push eax; ret 6_2_0041B808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041B80B push eax; ret 6_2_0041B872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041C292 push AD92C3EFh; ret 6_2_0041C41C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0040C335 pushfd ; ret 6_2_0040C33A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CDE0 push F8C82648h; ret 6_2_0041CF04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041B6B3 push esp; retf 6_2_0041B6B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041B7B5 push eax; ret 6_2_0041B808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FBD0D1 push ecx; ret 6_2_00FBD0E4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008876BD push ecx; ret 23_2_008876D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008876D1 push ecx; ret 23_2_008876E4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035FD0D1 push ecx; ret 23_2_035FD0E4
Source: initial sample Static PE information: section name: .text entropy: 7.79647412085
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: TPJX2QwEdXs5sTV.exe PID: 5056, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000002D985F4 second address: 0000000002D985FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000002D9897E second address: 0000000002D98984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe TID: 4452 Thread sleep time: -35576s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe TID: 3104 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_004088B0 rdtsc 6_2_004088B0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 23_2_0087B89C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008868BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 23_2_008868BA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0088245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 23_2_0088245C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008931DC FindFirstFileW,FindNextFileW,FindClose, 23_2_008931DC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_008785EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 23_2_008785EA
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Thread delayed: delay time: 35576 Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000008.00000000.314540524.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000008.00000000.314540524.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000008.00000000.295449841.0000000008CEA000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq%%
Source: explorer.exe, 00000008.00000000.339578610.0000000008B4E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000008.00000000.339578610.0000000008B4E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000008.00000000.368949944.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.339578610.0000000008B4E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000008.00000000.294727832.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000008.00000000.294727832.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000008.00000000.309101909.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: TPJX2QwEdXs5sTV.exe, 00000001.00000002.281632826.0000000002FA1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00892258 IsDebuggerPresent, 23_2_00892258
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00886C9A GetProcessHeap,RtlFreeHeap, 23_2_00886C9A
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_004088B0 rdtsc 6_2_004088B0
Enables debug privileges
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] 6_2_00FFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFB8D0 mov ecx, dword ptr fs:[00000030h] 6_2_00FFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] 6_2_00FFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] 6_2_00FFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] 6_2_00FFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFB8D0 mov eax, dword ptr fs:[00000030h] 6_2_00FFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9F0BF mov ecx, dword ptr fs:[00000030h] 6_2_00F9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9F0BF mov eax, dword ptr fs:[00000030h] 6_2_00F9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9F0BF mov eax, dword ptr fs:[00000030h] 6_2_00F9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA90AF mov eax, dword ptr fs:[00000030h] 6_2_00FA90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69080 mov eax, dword ptr fs:[00000030h] 6_2_00F69080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE3884 mov eax, dword ptr fs:[00000030h] 6_2_00FE3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE3884 mov eax, dword ptr fs:[00000030h] 6_2_00FE3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F80050 mov eax, dword ptr fs:[00000030h] 6_2_00F80050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F80050 mov eax, dword ptr fs:[00000030h] 6_2_00F80050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] 6_2_00F7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] 6_2_00F7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] 6_2_00F7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7B02A mov eax, dword ptr fs:[00000030h] 6_2_00F7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h] 6_2_00FE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h] 6_2_00FE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE7016 mov eax, dword ptr fs:[00000030h] 6_2_00FE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01034015 mov eax, dword ptr fs:[00000030h] 6_2_01034015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01034015 mov eax, dword ptr fs:[00000030h] 6_2_01034015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h] 6_2_00F6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h] 6_2_00F6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6B1E1 mov eax, dword ptr fs:[00000030h] 6_2_00F6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01022073 mov eax, dword ptr fs:[00000030h] 6_2_01022073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01031074 mov eax, dword ptr fs:[00000030h] 6_2_01031074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F8C182 mov eax, dword ptr fs:[00000030h] 6_2_00F8C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9A185 mov eax, dword ptr fs:[00000030h] 6_2_00F9A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6B171 mov eax, dword ptr fs:[00000030h] 6_2_00F6B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6B171 mov eax, dword ptr fs:[00000030h] 6_2_00F6B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F8B944 mov eax, dword ptr fs:[00000030h] 6_2_00F8B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F8B944 mov eax, dword ptr fs:[00000030h] 6_2_00F8B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9513A mov eax, dword ptr fs:[00000030h] 6_2_00F9513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9513A mov eax, dword ptr fs:[00000030h] 6_2_00F9513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] 6_2_00F84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] 6_2_00F84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] 6_2_00F84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F84120 mov eax, dword ptr fs:[00000030h] 6_2_00F84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F84120 mov ecx, dword ptr fs:[00000030h] 6_2_00F84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h] 6_2_00F69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h] 6_2_00F69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69100 mov eax, dword ptr fs:[00000030h] 6_2_00F69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0102131B mov eax, dword ptr fs:[00000030h] 6_2_0102131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9FAB0 mov eax, dword ptr fs:[00000030h] 6_2_00F9FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] 6_2_00F652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] 6_2_00F652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] 6_2_00F652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] 6_2_00F652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F652A5 mov eax, dword ptr fs:[00000030h] 6_2_00F652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01038B58 mov eax, dword ptr fs:[00000030h] 6_2_01038B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9D294 mov eax, dword ptr fs:[00000030h] 6_2_00F9D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9D294 mov eax, dword ptr fs:[00000030h] 6_2_00F9D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA927A mov eax, dword ptr fs:[00000030h] 6_2_00FA927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0101D380 mov ecx, dword ptr fs:[00000030h] 6_2_0101D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0102138A mov eax, dword ptr fs:[00000030h] 6_2_0102138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01035BA5 mov eax, dword ptr fs:[00000030h] 6_2_01035BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] 6_2_00F69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] 6_2_00F69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] 6_2_00F69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F69240 mov eax, dword ptr fs:[00000030h] 6_2_00F69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0101B260 mov eax, dword ptr fs:[00000030h] 6_2_0101B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0101B260 mov eax, dword ptr fs:[00000030h] 6_2_0101B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01038A62 mov eax, dword ptr fs:[00000030h] 6_2_01038A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F71B8F mov eax, dword ptr fs:[00000030h] 6_2_00F71B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F71B8F mov eax, dword ptr fs:[00000030h] 6_2_00F71B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F93B7A mov eax, dword ptr fs:[00000030h] 6_2_00F93B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F93B7A mov eax, dword ptr fs:[00000030h] 6_2_00F93B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6DB60 mov ecx, dword ptr fs:[00000030h] 6_2_00F6DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6F358 mov eax, dword ptr fs:[00000030h] 6_2_00F6F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6DB40 mov eax, dword ptr fs:[00000030h] 6_2_00F6DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01038D34 mov eax, dword ptr fs:[00000030h] 6_2_01038D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F8746D mov eax, dword ptr fs:[00000030h] 6_2_00F8746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFC450 mov eax, dword ptr fs:[00000030h] 6_2_00FFC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFC450 mov eax, dword ptr fs:[00000030h] 6_2_00FFC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9BC2C mov eax, dword ptr fs:[00000030h] 6_2_00F9BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01018DF1 mov eax, dword ptr fs:[00000030h] 6_2_01018DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] 6_2_00FE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] 6_2_00FE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] 6_2_00FE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE6C0A mov eax, dword ptr fs:[00000030h] 6_2_00FE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01021C06 mov eax, dword ptr fs:[00000030h] 6_2_01021C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0103740D mov eax, dword ptr fs:[00000030h] 6_2_0103740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0103740D mov eax, dword ptr fs:[00000030h] 6_2_0103740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0103740D mov eax, dword ptr fs:[00000030h] 6_2_0103740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F935A1 mov eax, dword ptr fs:[00000030h] 6_2_00F935A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9FD9B mov eax, dword ptr fs:[00000030h] 6_2_00F9FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9FD9B mov eax, dword ptr fs:[00000030h] 6_2_00F9FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] 6_2_00F62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] 6_2_00F62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] 6_2_00F62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] 6_2_00F62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F62D8A mov eax, dword ptr fs:[00000030h] 6_2_00F62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F8C577 mov eax, dword ptr fs:[00000030h] 6_2_00F8C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F8C577 mov eax, dword ptr fs:[00000030h] 6_2_00F8C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F87D50 mov eax, dword ptr fs:[00000030h] 6_2_00F87D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FA3D43 mov eax, dword ptr fs:[00000030h] 6_2_00FA3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE3540 mov eax, dword ptr fs:[00000030h] 6_2_00FE3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h] 6_2_00F94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h] 6_2_00F94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F94D3B mov eax, dword ptr fs:[00000030h] 6_2_00F94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F73D34 mov eax, dword ptr fs:[00000030h] 6_2_00F73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6AD30 mov eax, dword ptr fs:[00000030h] 6_2_00F6AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01038CD6 mov eax, dword ptr fs:[00000030h] 6_2_01038CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_010214FB mov eax, dword ptr fs:[00000030h] 6_2_010214FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0103070D mov eax, dword ptr fs:[00000030h] 6_2_0103070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0103070D mov eax, dword ptr fs:[00000030h] 6_2_0103070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F776E2 mov eax, dword ptr fs:[00000030h] 6_2_00F776E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F916E0 mov ecx, dword ptr fs:[00000030h] 6_2_00F916E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F936CC mov eax, dword ptr fs:[00000030h] 6_2_00F936CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FE46A7 mov eax, dword ptr fs:[00000030h] 6_2_00FE46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01038F6A mov eax, dword ptr fs:[00000030h] 6_2_01038F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFFE87 mov eax, dword ptr fs:[00000030h] 6_2_00FFFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7766D mov eax, dword ptr fs:[00000030h] 6_2_00F7766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6E620 mov eax, dword ptr fs:[00000030h] 6_2_00F6E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h] 6_2_00F6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h] 6_2_00F6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F6C600 mov eax, dword ptr fs:[00000030h] 6_2_00F6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0101FE3F mov eax, dword ptr fs:[00000030h] 6_2_0101FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7FF60 mov eax, dword ptr fs:[00000030h] 6_2_00F7FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h] 6_2_01030EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h] 6_2_01030EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01030EA5 mov eax, dword ptr fs:[00000030h] 6_2_01030EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F7EF40 mov eax, dword ptr fs:[00000030h] 6_2_00F7EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0101FEC0 mov eax, dword ptr fs:[00000030h] 6_2_0101FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F9E730 mov eax, dword ptr fs:[00000030h] 6_2_00F9E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01038ED6 mov eax, dword ptr fs:[00000030h] 6_2_01038ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F64F2E mov eax, dword ptr fs:[00000030h] 6_2_00F64F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00F64F2E mov eax, dword ptr fs:[00000030h] 6_2_00F64F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFFF10 mov eax, dword ptr fs:[00000030h] 6_2_00FFFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00FFFF10 mov eax, dword ptr fs:[00000030h] 6_2_00FFFF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0089B5E0 mov eax, dword ptr fs:[00000030h] 23_2_0089B5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AF358 mov eax, dword ptr fs:[00000030h] 23_2_035AF358
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03678F6A mov eax, dword ptr fs:[00000030h] 23_2_03678F6A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035ADB40 mov eax, dword ptr fs:[00000030h] 23_2_035ADB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BEF40 mov eax, dword ptr fs:[00000030h] 23_2_035BEF40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D3B7A mov eax, dword ptr fs:[00000030h] 23_2_035D3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D3B7A mov eax, dword ptr fs:[00000030h] 23_2_035D3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035ADB60 mov ecx, dword ptr fs:[00000030h] 23_2_035ADB60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BFF60 mov eax, dword ptr fs:[00000030h] 23_2_035BFF60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03678B58 mov eax, dword ptr fs:[00000030h] 23_2_03678B58
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DA70E mov eax, dword ptr fs:[00000030h] 23_2_035DA70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DA70E mov eax, dword ptr fs:[00000030h] 23_2_035DA70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0367070D mov eax, dword ptr fs:[00000030h] 23_2_0367070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0367070D mov eax, dword ptr fs:[00000030h] 23_2_0367070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DE730 mov eax, dword ptr fs:[00000030h] 23_2_035DE730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363FF10 mov eax, dword ptr fs:[00000030h] 23_2_0363FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363FF10 mov eax, dword ptr fs:[00000030h] 23_2_0363FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A4F2E mov eax, dword ptr fs:[00000030h] 23_2_035A4F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A4F2E mov eax, dword ptr fs:[00000030h] 23_2_035A4F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0366131B mov eax, dword ptr fs:[00000030h] 23_2_0366131B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E37F5 mov eax, dword ptr fs:[00000030h] 23_2_035E37F5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03675BA5 mov eax, dword ptr fs:[00000030h] 23_2_03675BA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DB390 mov eax, dword ptr fs:[00000030h] 23_2_035DB390
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B1B8F mov eax, dword ptr fs:[00000030h] 23_2_035B1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B1B8F mov eax, dword ptr fs:[00000030h] 23_2_035B1B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0365D380 mov ecx, dword ptr fs:[00000030h] 23_2_0365D380
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0366138A mov eax, dword ptr fs:[00000030h] 23_2_0366138A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03627794 mov eax, dword ptr fs:[00000030h] 23_2_03627794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03627794 mov eax, dword ptr fs:[00000030h] 23_2_03627794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03627794 mov eax, dword ptr fs:[00000030h] 23_2_03627794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0365B260 mov eax, dword ptr fs:[00000030h] 23_2_0365B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0365B260 mov eax, dword ptr fs:[00000030h] 23_2_0365B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03678A62 mov eax, dword ptr fs:[00000030h] 23_2_03678A62
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] 23_2_035A9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] 23_2_035A9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] 23_2_035A9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9240 mov eax, dword ptr fs:[00000030h] 23_2_035A9240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] 23_2_035B7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] 23_2_035B7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] 23_2_035B7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] 23_2_035B7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] 23_2_035B7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B7E41 mov eax, dword ptr fs:[00000030h] 23_2_035B7E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E927A mov eax, dword ptr fs:[00000030h] 23_2_035E927A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] 23_2_035CAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] 23_2_035CAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] 23_2_035CAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] 23_2_035CAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CAE73 mov eax, dword ptr fs:[00000030h] 23_2_035CAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03634257 mov eax, dword ptr fs:[00000030h] 23_2_03634257
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B766D mov eax, dword ptr fs:[00000030h] 23_2_035B766D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C3A1C mov eax, dword ptr fs:[00000030h] 23_2_035C3A1C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DA61C mov eax, dword ptr fs:[00000030h] 23_2_035DA61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DA61C mov eax, dword ptr fs:[00000030h] 23_2_035DA61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0365FE3F mov eax, dword ptr fs:[00000030h] 23_2_0365FE3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h] 23_2_035AC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h] 23_2_035AC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AC600 mov eax, dword ptr fs:[00000030h] 23_2_035AC600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AE620 mov eax, dword ptr fs:[00000030h] 23_2_035AE620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D36CC mov eax, dword ptr fs:[00000030h] 23_2_035D36CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E8EC7 mov eax, dword ptr fs:[00000030h] 23_2_035E8EC7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0365FEC0 mov eax, dword ptr fs:[00000030h] 23_2_0365FEC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03678ED6 mov eax, dword ptr fs:[00000030h] 23_2_03678ED6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B76E2 mov eax, dword ptr fs:[00000030h] 23_2_035B76E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D16E0 mov ecx, dword ptr fs:[00000030h] 23_2_035D16E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h] 23_2_03670EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h] 23_2_03670EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03670EA5 mov eax, dword ptr fs:[00000030h] 23_2_03670EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_036246A7 mov eax, dword ptr fs:[00000030h] 23_2_036246A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DD294 mov eax, dword ptr fs:[00000030h] 23_2_035DD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DD294 mov eax, dword ptr fs:[00000030h] 23_2_035DD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363FE87 mov eax, dword ptr fs:[00000030h] 23_2_0363FE87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BAAB0 mov eax, dword ptr fs:[00000030h] 23_2_035BAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BAAB0 mov eax, dword ptr fs:[00000030h] 23_2_035BAAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DFAB0 mov eax, dword ptr fs:[00000030h] 23_2_035DFAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] 23_2_035A52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] 23_2_035A52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] 23_2_035A52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] 23_2_035A52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A52A5 mov eax, dword ptr fs:[00000030h] 23_2_035A52A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C7D50 mov eax, dword ptr fs:[00000030h] 23_2_035C7D50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CB944 mov eax, dword ptr fs:[00000030h] 23_2_035CB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CB944 mov eax, dword ptr fs:[00000030h] 23_2_035CB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E3D43 mov eax, dword ptr fs:[00000030h] 23_2_035E3D43
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03623540 mov eax, dword ptr fs:[00000030h] 23_2_03623540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AB171 mov eax, dword ptr fs:[00000030h] 23_2_035AB171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AB171 mov eax, dword ptr fs:[00000030h] 23_2_035AB171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CC577 mov eax, dword ptr fs:[00000030h] 23_2_035CC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CC577 mov eax, dword ptr fs:[00000030h] 23_2_035CC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AC962 mov eax, dword ptr fs:[00000030h] 23_2_035AC962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03678D34 mov eax, dword ptr fs:[00000030h] 23_2_03678D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0362A537 mov eax, dword ptr fs:[00000030h] 23_2_0362A537
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h] 23_2_035A9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h] 23_2_035A9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9100 mov eax, dword ptr fs:[00000030h] 23_2_035A9100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h] 23_2_035D4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h] 23_2_035D4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D4D3B mov eax, dword ptr fs:[00000030h] 23_2_035D4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D513A mov eax, dword ptr fs:[00000030h] 23_2_035D513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D513A mov eax, dword ptr fs:[00000030h] 23_2_035D513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AAD30 mov eax, dword ptr fs:[00000030h] 23_2_035AAD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B3D34 mov eax, dword ptr fs:[00000030h] 23_2_035B3D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] 23_2_035C4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] 23_2_035C4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] 23_2_035C4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C4120 mov eax, dword ptr fs:[00000030h] 23_2_035C4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C4120 mov ecx, dword ptr fs:[00000030h] 23_2_035C4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_036341E8 mov eax, dword ptr fs:[00000030h] 23_2_036341E8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03658DF1 mov eax, dword ptr fs:[00000030h] 23_2_03658DF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h] 23_2_035AB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h] 23_2_035AB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035AB1E1 mov eax, dword ptr fs:[00000030h] 23_2_035AB1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BD5E0 mov eax, dword ptr fs:[00000030h] 23_2_035BD5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BD5E0 mov eax, dword ptr fs:[00000030h] 23_2_035BD5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DFD9B mov eax, dword ptr fs:[00000030h] 23_2_035DFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DFD9B mov eax, dword ptr fs:[00000030h] 23_2_035DFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] 23_2_035A2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] 23_2_035A2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] 23_2_035A2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] 23_2_035A2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A2D8A mov eax, dword ptr fs:[00000030h] 23_2_035A2D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DA185 mov eax, dword ptr fs:[00000030h] 23_2_035DA185
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035CC182 mov eax, dword ptr fs:[00000030h] 23_2_035CC182
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035D35A1 mov eax, dword ptr fs:[00000030h] 23_2_035D35A1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C0050 mov eax, dword ptr fs:[00000030h] 23_2_035C0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C0050 mov eax, dword ptr fs:[00000030h] 23_2_035C0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03671074 mov eax, dword ptr fs:[00000030h] 23_2_03671074
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03662073 mov eax, dword ptr fs:[00000030h] 23_2_03662073
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DA44B mov eax, dword ptr fs:[00000030h] 23_2_035DA44B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035C746D mov eax, dword ptr fs:[00000030h] 23_2_035C746D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363C450 mov eax, dword ptr fs:[00000030h] 23_2_0363C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363C450 mov eax, dword ptr fs:[00000030h] 23_2_0363C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03661C06 mov eax, dword ptr fs:[00000030h] 23_2_03661C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] 23_2_03626C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] 23_2_03626C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] 23_2_03626C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03626C0A mov eax, dword ptr fs:[00000030h] 23_2_03626C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0367740D mov eax, dword ptr fs:[00000030h] 23_2_0367740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0367740D mov eax, dword ptr fs:[00000030h] 23_2_0367740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0367740D mov eax, dword ptr fs:[00000030h] 23_2_0367740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] 23_2_035BB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] 23_2_035BB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] 23_2_035BB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035BB02A mov eax, dword ptr fs:[00000030h] 23_2_035BB02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DBC2C mov eax, dword ptr fs:[00000030h] 23_2_035DBC2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03674015 mov eax, dword ptr fs:[00000030h] 23_2_03674015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03674015 mov eax, dword ptr fs:[00000030h] 23_2_03674015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03627016 mov eax, dword ptr fs:[00000030h] 23_2_03627016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03627016 mov eax, dword ptr fs:[00000030h] 23_2_03627016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03627016 mov eax, dword ptr fs:[00000030h] 23_2_03627016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h] 23_2_03626CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h] 23_2_03626CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03626CF0 mov eax, dword ptr fs:[00000030h] 23_2_03626CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_036614FB mov eax, dword ptr fs:[00000030h] 23_2_036614FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03678CD6 mov eax, dword ptr fs:[00000030h] 23_2_03678CD6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] 23_2_0363B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363B8D0 mov ecx, dword ptr fs:[00000030h] 23_2_0363B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] 23_2_0363B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] 23_2_0363B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] 23_2_0363B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0363B8D0 mov eax, dword ptr fs:[00000030h] 23_2_0363B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035B849B mov eax, dword ptr fs:[00000030h] 23_2_035B849B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035A9080 mov eax, dword ptr fs:[00000030h] 23_2_035A9080
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DF0BF mov ecx, dword ptr fs:[00000030h] 23_2_035DF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DF0BF mov eax, dword ptr fs:[00000030h] 23_2_035DF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035DF0BF mov eax, dword ptr fs:[00000030h] 23_2_035DF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03623884 mov eax, dword ptr fs:[00000030h] 23_2_03623884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_03623884 mov eax, dword ptr fs:[00000030h] 23_2_03623884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_035E90AF mov eax, dword ptr fs:[00000030h] 23_2_035E90AF
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409B20 LdrLoadDll, 6_2_00409B20
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00886FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00886FE3
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00887310 SetUnhandledExceptionFilter, 23_2_00887310

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ice-lemon.pro
Source: C:\Windows\explorer.exe Domain query: www.indianadogeavaxsite.site
Source: C:\Windows\explorer.exe Domain query: www.munortiete.com
Source: C:\Windows\explorer.exe Domain query: www.pierrot-bros.com
Source: C:\Windows\explorer.exe Network Connect: 54.194.41.141 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.147.111 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 870000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 709008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.328066914.0000000001400000.00000002.00020000.sdmp, cmd.exe, 00000017.00000002.522213506.0000000005CA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.284022944.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000008.00000000.294727832.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 23_2_008796A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 23_2_00875AEF
Source: C:\Windows\SysWOW64\cmd.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 23_2_00883F80
Source: C:\Users\user\Desktop\TPJX2QwEdXs5sTV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_00893CC7 _get_osfhandle,GetLocalTime,SetLocalTime,SetLocalTime,GetLastError,GetLastError, 23_2_00893CC7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 23_2_0087443C GetVersion, 23_2_0087443C

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.TPJX2QwEdXs5sTV.exe.4175e30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000000.342627286.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.514970004.0000000002D90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390262569.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.512368731.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.321761934.000000000E077000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.389976608.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.513972990.00000000029D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282361714.0000000003FA9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390330954.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.282500066.000000000409E000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483640 Sample: TPJX2QwEdXs5sTV.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 31 www.fanpaixiu.xyz 2->31 33 www.438451.com 2->33 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 10 TPJX2QwEdXs5sTV.exe 3 2->10         started        signatures3 process4 file5 29 C:\Users\user\...\TPJX2QwEdXs5sTV.exe.log, ASCII 10->29 dropped 57 Writes to foreign memory regions 10->57 59 Injects a PE file into a foreign processes 10->59 14 RegSvcs.exe 10->14         started        17 RegSvcs.exe 10->17         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 19 cmd.exe 14->19         started        22 explorer.exe 14->22 injected 69 Tries to detect virtualization through RDTSC time measurements 17->69 process9 dnsIp10 49 Modifies the context of a thread in another process (thread injection) 19->49 51 Maps a DLL or memory area into another process 19->51 53 Tries to detect virtualization through RDTSC time measurements 19->53 25 cmd.exe 1 19->25         started        35 www.munortiete.com 172.67.147.111, 49810, 80 CLOUDFLARENETUS United States 22->35 37 www.pierrot-bros.com 22->37 39 4 other IPs or domains 22->39 55 System process connects to network (likely due to code injection or exploit) 22->55 signatures11 process12 process13 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.194.41.141
 domains.readymag.com United States
16509 AMAZON-02US false
172.67.147.111
 www.munortiete.com United States
13335 CLOUDFLARENETUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.munortiete.com 172.67.147.111 true
www.438451.com 160.202.170.147 true
domains.readymag.com 54.194.41.141 true
www.fanpaixiu.xyz unknown unknown
www.ice-lemon.pro unknown unknown
www.pierrot-bros.com unknown unknown
www.indianadogeavaxsite.site unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.indianadogeavaxsite.site/t75f/?IL3h=sM7Ty9CQqazxDsp1L2wp1X0yz6j8iZQMubl0W4soZskD9oW6nOghj7d5yalvsy0iKmR0GSiRBw==&_hN0=5jFT8RbH3tHLZn true
  • Avira URL Cloud: safe
 unknown
www.438451.com/t75f/ true
  • Avira URL Cloud: safe
 low