Windows Analysis Report ltylqhqpele080

Overview

General Information

Sample Name: ltylqhqpele080 (renamed file extension from none to exe)
Analysis ID: 533021
MD5: 45ee102bc8dcea993313fbcf1ff617f8
SHA1: 7c2d4af342bec7d137df5ee7bb7048b3db22b692
SHA256: ecab5de023d8473783a6824f69b59a1bfd7f1223792a96babfb997a292e7d789
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.kjtaxpro.com/r0bh/"], "decoy": ["karo-tasty.com", "canlioyuncuyuz.online", "app-demo.xyz", "fountainspringscapemay.com", "completefuid.com", "sideroyalpalacehotel.website", "tollesonhouses.com", "zjef.top", "fuckingmom89.xyz", "toituresante.com", "arabatas.com", "trans-mall.com", "davidruperezdorao.com", "cspro-lb.com", "xiluoxtmcwj.com", "medicinaoralbarcelona.com", "rayganesh.com", "bakosaoje.xyz", "8nst.com", "nigeriasecurityexpo.com", "geradsss.com", "nsureagent.com", "luxerlegends.com", "usedhondacar.com", "39mpt.xyz", "pellecorentin.com", "suddennnnnnnnnnnn37.xyz", "feierabendshop.com", "latest-football.pro", "mayyaramedical.com", "astrielle.com", "icobrothers.media", "946aaw.net", "resourcesassitance.com", "divinebaking.online", "allmanac.info", "mushukids.com", "trendytechtreats.com", "clubfohl.com", "ttportalbham2.com", "productzon.net", "ambosholmzoril.com", "luosenhuagong.com", "zhbhhj.com", "eclox-btp.com", "oldstjoe.com", "longshengfz.com", "sarasotaexterminator.com", "getjoyce.net", "game-band.com", "5gongvo.xyz", "gcioral.xyz", "missuser.info", "invertirenstartup.com", "018seo.com", "angeleyesevents.com", "heritzlab.com", "eleditorplatense.com", "ectax.online", "ngaviations.com", "spiveyvillage.online", "heartfeltgiftery.com", "resortonannamariais.land", "crktinc.com"]}
Multi AV Scanner detection for submitted file
Source: ltylqhqpele080.exe Virustotal: Detection: 35% Perma Link
Source: ltylqhqpele080.exe ReversingLabs: Detection: 70%
Yara detected FormBook
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 4.0.ltylqhqpele080.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.ltylqhqpele080.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.ltylqhqpele080.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.ltylqhqpele080.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: ltylqhqpele080.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: ltylqhqpele080.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscript.pdbGCTL source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ltylqhqpele080.exe, ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
Source: Binary string: wscript.pdb source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4x nop then pop esi 4_2_00415832
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4x nop then pop ebx 4_2_00406AB4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4x nop then pop edi 4_2_00415676
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop ebx 9_2_02386AB5
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop esi 9_2_02395832
Source: C:\Windows\SysWOW64\wscript.exe Code function: 4x nop then pop edi 9_2_02395676

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49882 -> 217.116.0.191:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49882 -> 217.116.0.191:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49882 -> 217.116.0.191:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.kjtaxpro.com/r0bh/
Source: explorer.exe, 00000014.00000003.858985956.0000000005B82000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.854322656.0000000005B9F000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853322407.0000000005BA3000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.885459379.0000000005B82000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000014.00000003.855454668.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.859217350.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.854275861.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853620009.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.854749305.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853677185.0000000005C61000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853526769.0000000005C55000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.853189065.0000000005C55000.00000004.00000001.sdmp String found in binary or memory: http://schemas.microsoft.co
Source: explorer.exe, 00000014.00000003.885877595.0000000005BFE000.00000004.00000001.sdmp String found in binary or memory: http://schrosoft.com/win/2004/08/events/event
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: ltylqhqpele080.exe, 00000000.00000002.672452444.0000000006A02000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.productzon.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: ltylqhqpele080.exe, 00000000.00000002.670129647.0000000000CE0000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: ltylqhqpele080.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_00EEE074 0_2_00EEE074
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04E56668 0_2_04E56668
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04E567C8 0_2_04E567C8
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04E50508 0_2_04E50508
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04E567B9 0_2_04E567B9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04E58870 0_2_04E58870
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EAA948 0_2_04EAA948
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EAB080 0_2_04EAB080
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EAC448 0_2_04EAC448
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EAC1C1 0_2_04EAC1C1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EAC110 0_2_04EAC110
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_00562050 0_2_00562050
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041C8DA 4_2_0041C8DA
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041C083 4_2_0041C083
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041B8B3 4_2_0041B8B3
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041C123 4_2_0041C123
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041C1E0 4_2_0041C1E0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041D208 4_2_0041D208
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041C3AC 4_2_0041C3AC
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00408C6E 4_2_00408C6E
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00408C70 4_2_00408C70
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041BD78 4_2_0041BD78
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041BE6C 4_2_0041BE6C
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196F900 4_2_0196F900
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01984120 4_2_01984120
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197B090 4_2_0197B090
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A320A8 4_2_01A320A8
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019920A0 4_2_019920A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A328EC 4_2_01A328EC
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A3E824 4_2_01A3E824
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21002 4_2_01A21002
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A830 4_2_0198A830
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198EB9A 4_2_0198EB9A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199138B 4_2_0199138B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199EBB0 4_2_0199EBB0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199ABD8 4_2_0199ABD8
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A123E3 4_2_01A123E3
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2DBD2 4_2_01A2DBD2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A203DA 4_2_01A203DA
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A32B28 4_2_01A32B28
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198AB40 4_2_0198AB40
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A0CB4F 4_2_01A0CB4F
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A322AE 4_2_01A322AE
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A1FA2B 4_2_01A1FA2B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B236 4_2_0198B236
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992581 4_2_01992581
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197D5E0 4_2_0197D5E0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A325DD 4_2_01A325DD
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A32D07 4_2_01A32D07
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01960D20 4_2_01960D20
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A31D55 4_2_01A31D55
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197841F 4_2_0197841F
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2D466 4_2_01A2D466
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A31FF1 4_2_01A31FF1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A3DFCE 4_2_01A3DFCE
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A32EF7 4_2_01A32EF7
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01986E30 4_2_01986E30
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2D616 4_2_01A2D616
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00F32050 4_2_00F32050
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D841F 9_2_047D841F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0488D466 9_2_0488D466
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048925DD 9_2_048925DD
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047C0D20 9_2_047C0D20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04892D07 9_2_04892D07
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047DD5E0 9_2_047DD5E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04891D55 9_2_04891D55
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047F2581 9_2_047F2581
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047E6E30 9_2_047E6E30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04892EF7 9_2_04892EF7
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0488D616 9_2_0488D616
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0489DFCE 9_2_0489DFCE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04891FF1 9_2_04891FF1
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048920A8 9_2_048920A8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EA830 9_2_047EA830
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048928EC 9_2_048928EC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881002 9_2_04881002
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0489E824 9_2_0489E824
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047F20A0 9_2_047F20A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047DB090 9_2_047DB090
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047E4120 9_2_047E4120
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047CF900 9_2_047CF900
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047E99BF 9_2_047E99BF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048922AE 9_2_048922AE
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB236 9_2_047EB236
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884AEF 9_2_04884AEF
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0487FA2B 9_2_0487FA2B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EAB40 9_2_047EAB40
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048803DA 9_2_048803DA
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0488DBD2 9_2_0488DBD2
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048723E3 9_2_048723E3
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EA309 9_2_047EA309
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04892B28 9_2_04892B28
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FABD8 9_2_047FABD8
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0486CB4F 9_2_0486CB4F
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FEBB0 9_2_047FEBB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047F138B 9_2_047F138B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02382FB0 9_2_02382FB0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02388C70 9_2_02388C70
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02388C6E 9_2_02388C6E
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02382D90 9_2_02382D90
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: String function: 0196B150 appears 139 times
Source: C:\Windows\SysWOW64\wscript.exe Code function: String function: 047CB150 appears 136 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_004185D0 NtCreateFile, 4_2_004185D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00418680 NtReadFile, 4_2_00418680
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00418700 NtClose, 4_2_00418700
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_004187B0 NtAllocateVirtualMemory, 4_2_004187B0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041867A NtReadFile, 4_2_0041867A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_004186FC NtClose, 4_2_004186FC
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_004187AB NtAllocateVirtualMemory, 4_2_004187AB
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A99A0 NtCreateSection,LdrInitializeThunk, 4_2_019A99A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_019A9910
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A98F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_019A98F0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9840 NtDelayExecution,LdrInitializeThunk, 4_2_019A9840
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_019A9860
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_019A9A00
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9A20 NtResumeThread,LdrInitializeThunk, 4_2_019A9A20
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9A50 NtCreateFile,LdrInitializeThunk, 4_2_019A9A50
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A95D0 NtClose,LdrInitializeThunk, 4_2_019A95D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9540 NtReadFile,LdrInitializeThunk, 4_2_019A9540
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9780 NtMapViewOfSection,LdrInitializeThunk, 4_2_019A9780
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_019A97A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9FE0 NtCreateMutant,LdrInitializeThunk, 4_2_019A9FE0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9710 NtQueryInformationToken,LdrInitializeThunk, 4_2_019A9710
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_019A96E0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_019A9660
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A99D0 NtCreateProcessEx, 4_2_019A99D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9950 NtQueueApcThread, 4_2_019A9950
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A98A0 NtWriteVirtualMemory, 4_2_019A98A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9820 NtEnumerateKey, 4_2_019A9820
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019AB040 NtSuspendThread, 4_2_019AB040
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019AA3B0 NtGetContextThread, 4_2_019AA3B0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9B00 NtSetValueKey, 4_2_019A9B00
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9A80 NtOpenDirectoryObject, 4_2_019A9A80
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9A10 NtQuerySection, 4_2_019A9A10
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A95F0 NtQueryInformationFile, 4_2_019A95F0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019AAD30 NtSetContextThread, 4_2_019AAD30
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9520 NtWaitForSingleObject, 4_2_019A9520
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9560 NtWriteFile, 4_2_019A9560
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019AA710 NtOpenProcessToken, 4_2_019AA710
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9730 NtQueryVirtualMemory, 4_2_019A9730
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019AA770 NtOpenThread, 4_2_019AA770
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9770 NtSetInformationFile, 4_2_019A9770
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9760 NtOpenProcess, 4_2_019A9760
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A96D0 NtCreateKey, 4_2_019A96D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9610 NtEnumerateValueKey, 4_2_019A9610
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9650 NtQueryValueKey, 4_2_019A9650
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A9670 NtQueryInformationProcess, 4_2_019A9670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048095D0 NtClose,LdrInitializeThunk, 9_2_048095D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809540 NtReadFile,LdrInitializeThunk, 9_2_04809540
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048096D0 NtCreateKey,LdrInitializeThunk, 9_2_048096D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048096E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_048096E0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809650 NtQueryValueKey,LdrInitializeThunk, 9_2_04809650
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_04809660
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809780 NtMapViewOfSection,LdrInitializeThunk, 9_2_04809780
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809FE0 NtCreateMutant,LdrInitializeThunk, 9_2_04809FE0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809710 NtQueryInformationToken,LdrInitializeThunk, 9_2_04809710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809840 NtDelayExecution,LdrInitializeThunk, 9_2_04809840
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_04809860
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048099A0 NtCreateSection,LdrInitializeThunk, 9_2_048099A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_04809910
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809A50 NtCreateFile,LdrInitializeThunk, 9_2_04809A50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048095F0 NtQueryInformationFile, 9_2_048095F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809520 NtWaitForSingleObject, 9_2_04809520
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0480AD30 NtSetContextThread, 9_2_0480AD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809560 NtWriteFile, 9_2_04809560
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809610 NtEnumerateValueKey, 9_2_04809610
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809670 NtQueryInformationProcess, 9_2_04809670
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048097A0 NtUnmapViewOfSection, 9_2_048097A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0480A710 NtOpenProcessToken, 9_2_0480A710
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809730 NtQueryVirtualMemory, 9_2_04809730
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809760 NtOpenProcess, 9_2_04809760
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0480A770 NtOpenThread, 9_2_0480A770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809770 NtSetInformationFile, 9_2_04809770
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048098A0 NtWriteVirtualMemory, 9_2_048098A0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048098F0 NtReadVirtualMemory, 9_2_048098F0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809820 NtEnumerateKey, 9_2_04809820
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0480B040 NtSuspendThread, 9_2_0480B040
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048099D0 NtCreateProcessEx, 9_2_048099D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809950 NtQueueApcThread, 9_2_04809950
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809A80 NtOpenDirectoryObject, 9_2_04809A80
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809A00 NtProtectVirtualMemory, 9_2_04809A00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809A10 NtQuerySection, 9_2_04809A10
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809A20 NtResumeThread, 9_2_04809A20
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0480A3B0 NtGetContextThread, 9_2_0480A3B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04809B00 NtSetValueKey, 9_2_04809B00
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02398680 NtReadFile, 9_2_02398680
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_02398700 NtClose, 9_2_02398700
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023987B0 NtAllocateVirtualMemory, 9_2_023987B0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023985D0 NtCreateFile, 9_2_023985D0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0239867A NtReadFile, 9_2_0239867A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023986FC NtClose, 9_2_023986FC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_023987AB NtAllocateVirtualMemory, 9_2_023987AB
Sample file is different than original file name gathered from version info
Source: ltylqhqpele080.exe Binary or memory string: OriginalFilename vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000000.00000002.670129647.0000000000CE0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000000.00000002.672813701.00000000073F0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameInnerException.dll" vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000000.00000002.672859745.0000000007610000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll@ vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe Binary or memory string: OriginalFilename vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000004.00000002.726882016.0000000001BEF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe Binary or memory string: OriginalFilenameCspKeyContainerIn.exe6 vs ltylqhqpele080.exe
Source: ltylqhqpele080.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ltylqhqpele080.exe Virustotal: Detection: 35%
Source: ltylqhqpele080.exe ReversingLabs: Detection: 70%
Source: ltylqhqpele080.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ltylqhqpele080.exe "C:\Users\user\Desktop\ltylqhqpele080.exe"
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process created: C:\Users\user\Desktop\ltylqhqpele080.exe C:\Users\user\Desktop\ltylqhqpele080.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process created: C:\Users\user\Desktop\ltylqhqpele080.exe C:\Users\user\Desktop\ltylqhqpele080.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ltylqhqpele080.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ltylqhqpele080.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@1/0
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ltylqhqpele080.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: ltylqhqpele080.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ltylqhqpele080.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: ltylqhqpele080.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wscript.pdbGCTL source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ltylqhqpele080.exe, ltylqhqpele080.exe, 00000004.00000002.726585834.0000000001A5F000.00000040.00000001.sdmp, ltylqhqpele080.exe, 00000004.00000002.723589294.0000000001940000.00000040.00000001.sdmp, wscript.exe, wscript.exe, 00000009.00000002.922804388.00000000048BF000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.922649876.00000000047A0000.00000040.00000001.sdmp
Source: Binary string: wscript.pdb source: ltylqhqpele080.exe, 00000004.00000002.726985609.0000000001CF0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: ltylqhqpele080.exe, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.ltylqhqpele080.exe.560000.0.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.ltylqhqpele080.exe.560000.0.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ltylqhqpele080.exe.f30000.3.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ltylqhqpele080.exe.f30000.5.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.2.ltylqhqpele080.exe.f30000.1.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ltylqhqpele080.exe.f30000.0.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ltylqhqpele080.exe.f30000.9.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ltylqhqpele080.exe.f30000.2.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ltylqhqpele080.exe.f30000.1.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 4.0.ltylqhqpele080.exe.f30000.7.unpack, BugVenture/TradingScreen.cs .Net Code: CF234052 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_00566F01 push es; iretd 0_2_00566F30
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_00566E2F push es; iretd 0_2_00566E88
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EAC448 push esp; ret 0_2_04EAC5A9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EA423A push esp; retf 0_2_04EA4259
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 0_2_04EA4358 pushfd ; retf 0_2_04EA4359
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041B87C push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041B812 push eax; ret 4_2_0041B818
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041B81B push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041CD74 push dword ptr [0E9B1F9Dh]; ret 4_2_0041CD99
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041CE24 push dword ptr [8E775501h]; ret 4_2_0041CF52
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0041B7C5 push eax; ret 4_2_0041B818
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00F36E2F push es; iretd 4_2_00F36E88
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00F36F01 push es; iretd 4_2_00F36F30
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019BD0D1 push ecx; ret 4_2_019BD0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0481D0D1 push ecx; ret 9_2_0481D0E4
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0239B81B push eax; ret 9_2_0239B882
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0239B812 push eax; ret 9_2_0239B818
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0239B87C push eax; ret 9_2_0239B882
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0239CE24 push dword ptr [8E775501h]; ret 9_2_0239CF52
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0239B7C5 push eax; ret 9_2_0239B818
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0239CD74 push dword ptr [0E9B1F9Dh]; ret 9_2_0239CD99
Binary contains a suspicious time stamp
Source: ltylqhqpele080.exe Static PE information: 0xA2510432 [Mon Apr 17 17:34:42 2056 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.88898363134

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del "C:\Users\user\Desktop\ltylqhqpele080.exe"
Source: C:\Windows\SysWOW64\wscript.exe Process created: /c del "C:\Users\user\Desktop\ltylqhqpele080.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.ltylqhqpele080.exe.28c564c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.28f1cc8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ltylqhqpele080.exe PID: 2208, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ltylqhqpele080.exe, 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp, ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: ltylqhqpele080.exe, 00000000.00000002.670774502.00000000028A1000.00000004.00000001.sdmp, ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\ltylqhqpele080.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\ltylqhqpele080.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 0000000002388604 second address: 000000000238860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 000000000238898E second address: 0000000002388994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ltylqhqpele080.exe TID: 1280 Thread sleep time: -35612s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe TID: 6404 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\wscript.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_004088C0 rdtsc 4_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Thread delayed: delay time: 35612 Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000014.00000000.854473585.0000000005C05000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000014.00000003.888902769.00000000102E6000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B2
Source: explorer.exe, 00000014.00000003.876543204.000000001021A000.00000004.00000001.sdmp Binary or memory string: 6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000S
Source: explorer.exe, 00000014.00000003.834277481.0000000003F17000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.705558543.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.853774785.0000000005ACD000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00Rom0o
Source: explorer.exe, 00000006.00000000.700531325.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.692668305.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000006.00000000.705988911.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000014.00000003.850798839.0000000005AE8000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000N%\
Source: explorer.exe, 00000014.00000003.850798839.0000000005AE8000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000~
Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000014.00000003.850415833.0000000005AA6000.00000004.00000001.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000014.00000003.879647210.000000000FBBC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
Source: explorer.exe, 00000014.00000003.853322407.0000000005BA3000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.877472550.000000001021F000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bre
Source: explorer.exe, 00000014.00000003.873385225.000000000FBD7000.00000004.00000001.sdmp Binary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.850415833.0000000005AA6000.00000004.00000001.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.677894895.000000000A897000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}FilesP11
Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000014.00000003.853112569.0000000005BEC000.00000004.00000001.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000014.00000000.877421020.000000001020E000.00000004.00000001.sdmp Binary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}j
Source: explorer.exe, 00000014.00000000.878698122.0000000010E60000.00000004.00000001.sdmp Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb0<4
Source: explorer.exe, 00000014.00000003.853112569.0000000005BEC000.00000004.00000001.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00&
Source: explorer.exe, 00000014.00000000.878017612.00000000102E4000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53
Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000014.00000000.878040545.00000000102E6000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000014.00000003.861258555.000000000FBD7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
Source: explorer.exe, 00000014.00000000.878770374.0000000010E6C000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&
Source: explorer.exe, 00000014.00000003.828472411.0000000003FF9000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:YU"M
Source: explorer.exe, 00000014.00000003.888887792.00000000102E2000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bg
Source: explorer.exe, 00000014.00000003.879647210.000000000FBBC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}H
Source: explorer.exe, 00000014.00000003.873385225.000000000FBD7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 00000006.00000000.680137543.000000000FD4E000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAd
Source: explorer.exe, 00000014.00000003.861258555.000000000FBD7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
Source: ltylqhqpele080.exe, 00000000.00000002.670840541.00000000028DC000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000014.00000003.855528040.0000000005B9F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.689720858.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000000.853774785.0000000005ACD000.00000004.00000001.sdmp Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:Ga
Source: explorer.exe, 00000014.00000003.828389918.0000000003F73000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000014.00000003.879647210.000000000FBBC000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: explorer.exe, 00000014.00000003.861258555.000000000FBD7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
Source: explorer.exe, 00000014.00000003.866004106.000000000FB37000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BSm
Source: explorer.exe, 00000014.00000003.873385225.000000000FBD7000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000014.00000003.885027734.000000000FE1C000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9
Source: explorer.exe, 00000014.00000000.852393959.0000000005A05000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_004088C0 rdtsc 4_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h] 4_2_01A249A4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h] 4_2_01A249A4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h] 4_2_01A249A4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A249A4 mov eax, dword ptr fs:[00000030h] 4_2_01A249A4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992990 mov eax, dword ptr fs:[00000030h] 4_2_01992990
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198C182 mov eax, dword ptr fs:[00000030h] 4_2_0198C182
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199A185 mov eax, dword ptr fs:[00000030h] 4_2_0199A185
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h] 4_2_019E51BE
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h] 4_2_019E51BE
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h] 4_2_019E51BE
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E51BE mov eax, dword ptr fs:[00000030h] 4_2_019E51BE
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov eax, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov eax, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov eax, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov ecx, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019899BF mov eax, dword ptr fs:[00000030h] 4_2_019899BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E69A6 mov eax, dword ptr fs:[00000030h] 4_2_019E69A6
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019961A0 mov eax, dword ptr fs:[00000030h] 4_2_019961A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019961A0 mov eax, dword ptr fs:[00000030h] 4_2_019961A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019F41E8 mov eax, dword ptr fs:[00000030h] 4_2_019F41E8
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0196B1E1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0196B1E1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0196B1E1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969100 mov eax, dword ptr fs:[00000030h] 4_2_01969100
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969100 mov eax, dword ptr fs:[00000030h] 4_2_01969100
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969100 mov eax, dword ptr fs:[00000030h] 4_2_01969100
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199513A mov eax, dword ptr fs:[00000030h] 4_2_0199513A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199513A mov eax, dword ptr fs:[00000030h] 4_2_0199513A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01984120 mov eax, dword ptr fs:[00000030h] 4_2_01984120
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01984120 mov eax, dword ptr fs:[00000030h] 4_2_01984120
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01984120 mov eax, dword ptr fs:[00000030h] 4_2_01984120
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01984120 mov eax, dword ptr fs:[00000030h] 4_2_01984120
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01984120 mov ecx, dword ptr fs:[00000030h] 4_2_01984120
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B944 mov eax, dword ptr fs:[00000030h] 4_2_0198B944
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B944 mov eax, dword ptr fs:[00000030h] 4_2_0198B944
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196B171 mov eax, dword ptr fs:[00000030h] 4_2_0196B171
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196B171 mov eax, dword ptr fs:[00000030h] 4_2_0196B171
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196C962 mov eax, dword ptr fs:[00000030h] 4_2_0196C962
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969080 mov eax, dword ptr fs:[00000030h] 4_2_01969080
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E3884 mov eax, dword ptr fs:[00000030h] 4_2_019E3884
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E3884 mov eax, dword ptr fs:[00000030h] 4_2_019E3884
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199F0BF mov ecx, dword ptr fs:[00000030h] 4_2_0199F0BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199F0BF mov eax, dword ptr fs:[00000030h] 4_2_0199F0BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199F0BF mov eax, dword ptr fs:[00000030h] 4_2_0199F0BF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A90AF mov eax, dword ptr fs:[00000030h] 4_2_019A90AF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h] 4_2_019920A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h] 4_2_019920A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h] 4_2_019920A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h] 4_2_019920A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h] 4_2_019920A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019920A0 mov eax, dword ptr fs:[00000030h] 4_2_019920A0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_019FB8D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FB8D0 mov ecx, dword ptr fs:[00000030h] 4_2_019FB8D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_019FB8D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_019FB8D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_019FB8D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_019FB8D0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019640E1 mov eax, dword ptr fs:[00000030h] 4_2_019640E1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019640E1 mov eax, dword ptr fs:[00000030h] 4_2_019640E1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019640E1 mov eax, dword ptr fs:[00000030h] 4_2_019640E1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019658EC mov eax, dword ptr fs:[00000030h] 4_2_019658EC
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0198B8E4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0198B8E4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E7016 mov eax, dword ptr fs:[00000030h] 4_2_019E7016
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E7016 mov eax, dword ptr fs:[00000030h] 4_2_019E7016
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E7016 mov eax, dword ptr fs:[00000030h] 4_2_019E7016
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h] 4_2_0198A830
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h] 4_2_0198A830
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h] 4_2_0198A830
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A830 mov eax, dword ptr fs:[00000030h] 4_2_0198A830
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199002D mov eax, dword ptr fs:[00000030h] 4_2_0199002D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199002D mov eax, dword ptr fs:[00000030h] 4_2_0199002D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199002D mov eax, dword ptr fs:[00000030h] 4_2_0199002D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199002D mov eax, dword ptr fs:[00000030h] 4_2_0199002D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199002D mov eax, dword ptr fs:[00000030h] 4_2_0199002D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A34015 mov eax, dword ptr fs:[00000030h] 4_2_01A34015
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A34015 mov eax, dword ptr fs:[00000030h] 4_2_01A34015
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h] 4_2_0197B02A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h] 4_2_0197B02A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h] 4_2_0197B02A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197B02A mov eax, dword ptr fs:[00000030h] 4_2_0197B02A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01980050 mov eax, dword ptr fs:[00000030h] 4_2_01980050
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01980050 mov eax, dword ptr fs:[00000030h] 4_2_01980050
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22073 mov eax, dword ptr fs:[00000030h] 4_2_01A22073
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A31074 mov eax, dword ptr fs:[00000030h] 4_2_01A31074
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198EB9A mov eax, dword ptr fs:[00000030h] 4_2_0198EB9A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198EB9A mov eax, dword ptr fs:[00000030h] 4_2_0198EB9A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A35BA5 mov eax, dword ptr fs:[00000030h] 4_2_01A35BA5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199B390 mov eax, dword ptr fs:[00000030h] 4_2_0199B390
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992397 mov eax, dword ptr fs:[00000030h] 4_2_01992397
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199138B mov eax, dword ptr fs:[00000030h] 4_2_0199138B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199138B mov eax, dword ptr fs:[00000030h] 4_2_0199138B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199138B mov eax, dword ptr fs:[00000030h] 4_2_0199138B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01971B8F mov eax, dword ptr fs:[00000030h] 4_2_01971B8F
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01971B8F mov eax, dword ptr fs:[00000030h] 4_2_01971B8F
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A1D380 mov ecx, dword ptr fs:[00000030h] 4_2_01A1D380
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2138A mov eax, dword ptr fs:[00000030h] 4_2_01A2138A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01994BAD mov eax, dword ptr fs:[00000030h] 4_2_01994BAD
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01994BAD mov eax, dword ptr fs:[00000030h] 4_2_01994BAD
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01994BAD mov eax, dword ptr fs:[00000030h] 4_2_01994BAD
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A123E3 mov ecx, dword ptr fs:[00000030h] 4_2_01A123E3
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A123E3 mov ecx, dword ptr fs:[00000030h] 4_2_01A123E3
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A123E3 mov eax, dword ptr fs:[00000030h] 4_2_01A123E3
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E53CA mov eax, dword ptr fs:[00000030h] 4_2_019E53CA
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E53CA mov eax, dword ptr fs:[00000030h] 4_2_019E53CA
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198DBE9 mov eax, dword ptr fs:[00000030h] 4_2_0198DBE9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h] 4_2_019903E2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h] 4_2_019903E2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h] 4_2_019903E2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h] 4_2_019903E2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h] 4_2_019903E2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019903E2 mov eax, dword ptr fs:[00000030h] 4_2_019903E2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A309 mov eax, dword ptr fs:[00000030h] 4_2_0198A309
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2131B mov eax, dword ptr fs:[00000030h] 4_2_01A2131B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196F358 mov eax, dword ptr fs:[00000030h] 4_2_0196F358
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196DB40 mov eax, dword ptr fs:[00000030h] 4_2_0196DB40
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01993B7A mov eax, dword ptr fs:[00000030h] 4_2_01993B7A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01993B7A mov eax, dword ptr fs:[00000030h] 4_2_01993B7A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196DB60 mov ecx, dword ptr fs:[00000030h] 4_2_0196DB60
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A38B58 mov eax, dword ptr fs:[00000030h] 4_2_01A38B58
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199D294 mov eax, dword ptr fs:[00000030h] 4_2_0199D294
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199D294 mov eax, dword ptr fs:[00000030h] 4_2_0199D294
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0197AAB0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0197AAB0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199FAB0 mov eax, dword ptr fs:[00000030h] 4_2_0199FAB0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h] 4_2_019652A5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h] 4_2_019652A5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h] 4_2_019652A5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h] 4_2_019652A5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019652A5 mov eax, dword ptr fs:[00000030h] 4_2_019652A5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24AEF mov eax, dword ptr fs:[00000030h] 4_2_01A24AEF
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992ACB mov eax, dword ptr fs:[00000030h] 4_2_01992ACB
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992AE4 mov eax, dword ptr fs:[00000030h] 4_2_01992AE4
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196AA16 mov eax, dword ptr fs:[00000030h] 4_2_0196AA16
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196AA16 mov eax, dword ptr fs:[00000030h] 4_2_0196AA16
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01983A1C mov eax, dword ptr fs:[00000030h] 4_2_01983A1C
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01965210 mov eax, dword ptr fs:[00000030h] 4_2_01965210
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01965210 mov ecx, dword ptr fs:[00000030h] 4_2_01965210
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01965210 mov eax, dword ptr fs:[00000030h] 4_2_01965210
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01965210 mov eax, dword ptr fs:[00000030h] 4_2_01965210
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01978A0A mov eax, dword ptr fs:[00000030h] 4_2_01978A0A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h] 4_2_0198B236
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h] 4_2_0198B236
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h] 4_2_0198B236
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h] 4_2_0198B236
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h] 4_2_0198B236
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B236 mov eax, dword ptr fs:[00000030h] 4_2_0198B236
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198A229 mov eax, dword ptr fs:[00000030h] 4_2_0198A229
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2AA16 mov eax, dword ptr fs:[00000030h] 4_2_01A2AA16
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2AA16 mov eax, dword ptr fs:[00000030h] 4_2_01A2AA16
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A4A2C mov eax, dword ptr fs:[00000030h] 4_2_019A4A2C
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A4A2C mov eax, dword ptr fs:[00000030h] 4_2_019A4A2C
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A38A62 mov eax, dword ptr fs:[00000030h] 4_2_01A38A62
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A1B260 mov eax, dword ptr fs:[00000030h] 4_2_01A1B260
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A1B260 mov eax, dword ptr fs:[00000030h] 4_2_01A1B260
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019F4257 mov eax, dword ptr fs:[00000030h] 4_2_019F4257
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969240 mov eax, dword ptr fs:[00000030h] 4_2_01969240
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969240 mov eax, dword ptr fs:[00000030h] 4_2_01969240
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969240 mov eax, dword ptr fs:[00000030h] 4_2_01969240
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01969240 mov eax, dword ptr fs:[00000030h] 4_2_01969240
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A927A mov eax, dword ptr fs:[00000030h] 4_2_019A927A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2EA55 mov eax, dword ptr fs:[00000030h] 4_2_01A2EA55
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199FD9B mov eax, dword ptr fs:[00000030h] 4_2_0199FD9B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199FD9B mov eax, dword ptr fs:[00000030h] 4_2_0199FD9B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A305AC mov eax, dword ptr fs:[00000030h] 4_2_01A305AC
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A305AC mov eax, dword ptr fs:[00000030h] 4_2_01A305AC
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992581 mov eax, dword ptr fs:[00000030h] 4_2_01992581
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992581 mov eax, dword ptr fs:[00000030h] 4_2_01992581
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992581 mov eax, dword ptr fs:[00000030h] 4_2_01992581
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01992581 mov eax, dword ptr fs:[00000030h] 4_2_01992581
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h] 4_2_01962D8A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h] 4_2_01962D8A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h] 4_2_01962D8A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h] 4_2_01962D8A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01962D8A mov eax, dword ptr fs:[00000030h] 4_2_01962D8A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h] 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h] 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h] 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h] 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h] 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h] 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A22D82 mov eax, dword ptr fs:[00000030h] 4_2_01A22D82
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01991DB5 mov eax, dword ptr fs:[00000030h] 4_2_01991DB5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01991DB5 mov eax, dword ptr fs:[00000030h] 4_2_01991DB5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01991DB5 mov eax, dword ptr fs:[00000030h] 4_2_01991DB5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019935A1 mov eax, dword ptr fs:[00000030h] 4_2_019935A1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h] 4_2_01A2FDE2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h] 4_2_01A2FDE2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h] 4_2_01A2FDE2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2FDE2 mov eax, dword ptr fs:[00000030h] 4_2_01A2FDE2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A18DF1 mov eax, dword ptr fs:[00000030h] 4_2_01A18DF1
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_019E6DC9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_019E6DC9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_019E6DC9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6DC9 mov ecx, dword ptr fs:[00000030h] 4_2_019E6DC9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_019E6DC9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_019E6DC9
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0197D5E0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0197D5E0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A38D34 mov eax, dword ptr fs:[00000030h] 4_2_01A38D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2E539 mov eax, dword ptr fs:[00000030h] 4_2_01A2E539
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01994D3B mov eax, dword ptr fs:[00000030h] 4_2_01994D3B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01994D3B mov eax, dword ptr fs:[00000030h] 4_2_01994D3B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01994D3B mov eax, dword ptr fs:[00000030h] 4_2_01994D3B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01973D34 mov eax, dword ptr fs:[00000030h] 4_2_01973D34
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196AD30 mov eax, dword ptr fs:[00000030h] 4_2_0196AD30
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019EA537 mov eax, dword ptr fs:[00000030h] 4_2_019EA537
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199F527 mov eax, dword ptr fs:[00000030h] 4_2_0199F527
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199F527 mov eax, dword ptr fs:[00000030h] 4_2_0199F527
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199F527 mov eax, dword ptr fs:[00000030h] 4_2_0199F527
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01987D50 mov eax, dword ptr fs:[00000030h] 4_2_01987D50
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A3D43 mov eax, dword ptr fs:[00000030h] 4_2_019A3D43
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E3540 mov eax, dword ptr fs:[00000030h] 4_2_019E3540
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A13D40 mov eax, dword ptr fs:[00000030h] 4_2_01A13D40
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198C577 mov eax, dword ptr fs:[00000030h] 4_2_0198C577
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198C577 mov eax, dword ptr fs:[00000030h] 4_2_0198C577
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197849B mov eax, dword ptr fs:[00000030h] 4_2_0197849B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A24496 mov eax, dword ptr fs:[00000030h] 4_2_01A24496
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A214FB mov eax, dword ptr fs:[00000030h] 4_2_01A214FB
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6CF0 mov eax, dword ptr fs:[00000030h] 4_2_019E6CF0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6CF0 mov eax, dword ptr fs:[00000030h] 4_2_019E6CF0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6CF0 mov eax, dword ptr fs:[00000030h] 4_2_019E6CF0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A38CD6 mov eax, dword ptr fs:[00000030h] 4_2_01A38CD6
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h] 4_2_019E6C0A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h] 4_2_019E6C0A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h] 4_2_019E6C0A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E6C0A mov eax, dword ptr fs:[00000030h] 4_2_019E6C0A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21C06 mov eax, dword ptr fs:[00000030h] 4_2_01A21C06
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A3740D mov eax, dword ptr fs:[00000030h] 4_2_01A3740D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A3740D mov eax, dword ptr fs:[00000030h] 4_2_01A3740D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A3740D mov eax, dword ptr fs:[00000030h] 4_2_01A3740D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199BC2C mov eax, dword ptr fs:[00000030h] 4_2_0199BC2C
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FC450 mov eax, dword ptr fs:[00000030h] 4_2_019FC450
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FC450 mov eax, dword ptr fs:[00000030h] 4_2_019FC450
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199A44B mov eax, dword ptr fs:[00000030h] 4_2_0199A44B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199AC7B mov eax, dword ptr fs:[00000030h] 4_2_0199AC7B
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B477 mov eax, dword ptr fs:[00000030h] 4_2_0198B477
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198746D mov eax, dword ptr fs:[00000030h] 4_2_0198746D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01978794 mov eax, dword ptr fs:[00000030h] 4_2_01978794
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E7794 mov eax, dword ptr fs:[00000030h] 4_2_019E7794
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E7794 mov eax, dword ptr fs:[00000030h] 4_2_019E7794
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E7794 mov eax, dword ptr fs:[00000030h] 4_2_019E7794
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A37F5 mov eax, dword ptr fs:[00000030h] 4_2_019A37F5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01994710 mov eax, dword ptr fs:[00000030h] 4_2_01994710
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198F716 mov eax, dword ptr fs:[00000030h] 4_2_0198F716
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FFF10 mov eax, dword ptr fs:[00000030h] 4_2_019FFF10
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FFF10 mov eax, dword ptr fs:[00000030h] 4_2_019FFF10
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199A70E mov eax, dword ptr fs:[00000030h] 4_2_0199A70E
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199A70E mov eax, dword ptr fs:[00000030h] 4_2_0199A70E
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B73D mov eax, dword ptr fs:[00000030h] 4_2_0198B73D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198B73D mov eax, dword ptr fs:[00000030h] 4_2_0198B73D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199E730 mov eax, dword ptr fs:[00000030h] 4_2_0199E730
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01993F33 mov eax, dword ptr fs:[00000030h] 4_2_01993F33
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A3070D mov eax, dword ptr fs:[00000030h] 4_2_01A3070D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A3070D mov eax, dword ptr fs:[00000030h] 4_2_01A3070D
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01964F2E mov eax, dword ptr fs:[00000030h] 4_2_01964F2E
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01964F2E mov eax, dword ptr fs:[00000030h] 4_2_01964F2E
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A38F6A mov eax, dword ptr fs:[00000030h] 4_2_01A38F6A
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197EF40 mov eax, dword ptr fs:[00000030h] 4_2_0197EF40
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197FF60 mov eax, dword ptr fs:[00000030h] 4_2_0197FF60
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A30EA5 mov eax, dword ptr fs:[00000030h] 4_2_01A30EA5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A30EA5 mov eax, dword ptr fs:[00000030h] 4_2_01A30EA5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A30EA5 mov eax, dword ptr fs:[00000030h] 4_2_01A30EA5
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019FFE87 mov eax, dword ptr fs:[00000030h] 4_2_019FFE87
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019E46A7 mov eax, dword ptr fs:[00000030h] 4_2_019E46A7
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019936CC mov eax, dword ptr fs:[00000030h] 4_2_019936CC
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019A8EC7 mov eax, dword ptr fs:[00000030h] 4_2_019A8EC7
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A1FEC0 mov eax, dword ptr fs:[00000030h] 4_2_01A1FEC0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A38ED6 mov eax, dword ptr fs:[00000030h] 4_2_01A38ED6
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019776E2 mov eax, dword ptr fs:[00000030h] 4_2_019776E2
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_019916E0 mov ecx, dword ptr fs:[00000030h] 4_2_019916E0
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199A61C mov eax, dword ptr fs:[00000030h] 4_2_0199A61C
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0199A61C mov eax, dword ptr fs:[00000030h] 4_2_0199A61C
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196C600 mov eax, dword ptr fs:[00000030h] 4_2_0196C600
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196C600 mov eax, dword ptr fs:[00000030h] 4_2_0196C600
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196C600 mov eax, dword ptr fs:[00000030h] 4_2_0196C600
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01998E00 mov eax, dword ptr fs:[00000030h] 4_2_01998E00
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A1FE3F mov eax, dword ptr fs:[00000030h] 4_2_01A1FE3F
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A21608 mov eax, dword ptr fs:[00000030h] 4_2_01A21608
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0196E620 mov eax, dword ptr fs:[00000030h] 4_2_0196E620
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h] 4_2_01977E41
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h] 4_2_01977E41
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h] 4_2_01977E41
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h] 4_2_01977E41
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h] 4_2_01977E41
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01977E41 mov eax, dword ptr fs:[00000030h] 4_2_01977E41
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2AE44 mov eax, dword ptr fs:[00000030h] 4_2_01A2AE44
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_01A2AE44 mov eax, dword ptr fs:[00000030h] 4_2_01A2AE44
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h] 4_2_0198AE73
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h] 4_2_0198AE73
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h] 4_2_0198AE73
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h] 4_2_0198AE73
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0198AE73 mov eax, dword ptr fs:[00000030h] 4_2_0198AE73
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_0197766D mov eax, dword ptr fs:[00000030h] 4_2_0197766D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FAC7B mov eax, dword ptr fs:[00000030h] 9_2_047FAC7B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EB477 mov eax, dword ptr fs:[00000030h] 9_2_047EB477
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047E746D mov eax, dword ptr fs:[00000030h] 9_2_047E746D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04884496 mov eax, dword ptr fs:[00000030h] 9_2_04884496
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FA44B mov eax, dword ptr fs:[00000030h] 9_2_047FA44B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047FBC2C mov eax, dword ptr fs:[00000030h] 9_2_047FBC2C
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04898CD6 mov eax, dword ptr fs:[00000030h] 9_2_04898CD6
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048814FB mov eax, dword ptr fs:[00000030h] 9_2_048814FB
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846CF0 mov eax, dword ptr fs:[00000030h] 9_2_04846CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846CF0 mov eax, dword ptr fs:[00000030h] 9_2_04846CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846CF0 mov eax, dword ptr fs:[00000030h] 9_2_04846CF0
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0489740D mov eax, dword ptr fs:[00000030h] 9_2_0489740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0489740D mov eax, dword ptr fs:[00000030h] 9_2_0489740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0489740D mov eax, dword ptr fs:[00000030h] 9_2_0489740D
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04881C06 mov eax, dword ptr fs:[00000030h] 9_2_04881C06
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h] 9_2_04846C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h] 9_2_04846C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h] 9_2_04846C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846C0A mov eax, dword ptr fs:[00000030h] 9_2_04846C0A
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0485C450 mov eax, dword ptr fs:[00000030h] 9_2_0485C450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_0485C450 mov eax, dword ptr fs:[00000030h] 9_2_0485C450
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D849B mov eax, dword ptr fs:[00000030h] 9_2_047D849B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EC577 mov eax, dword ptr fs:[00000030h] 9_2_047EC577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047EC577 mov eax, dword ptr fs:[00000030h] 9_2_047EC577
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h] 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h] 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h] 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h] 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h] 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h] 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04882D82 mov eax, dword ptr fs:[00000030h] 9_2_04882D82
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048905AC mov eax, dword ptr fs:[00000030h] 9_2_048905AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_048905AC mov eax, dword ptr fs:[00000030h] 9_2_048905AC
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047E7D50 mov eax, dword ptr fs:[00000030h] 9_2_047E7D50
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047F4D3B mov eax, dword ptr fs:[00000030h] 9_2_047F4D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047F4D3B mov eax, dword ptr fs:[00000030h] 9_2_047F4D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047F4D3B mov eax, dword ptr fs:[00000030h] 9_2_047F4D3B
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047D3D34 mov eax, dword ptr fs:[00000030h] 9_2_047D3D34
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_047CAD30 mov eax, dword ptr fs:[00000030h] 9_2_047CAD30
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846DC9 mov eax, dword ptr fs:[00000030h] 9_2_04846DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846DC9 mov eax, dword ptr fs:[00000030h] 9_2_04846DC9
Source: C:\Windows\SysWOW64\wscript.exe Code function: 9_2_04846DC9 mov eax, dword ptr fs:[00000030h] 9_2_04846DC9
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Code function: 4_2_00409B30 LdrLoadDll, 4_2_00409B30
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 110000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\System32\conhost.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Memory written: C:\Users\user\Desktop\ltylqhqpele080.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Thread register set: target process: 5884 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Process created: C:\Users\user\Desktop\ltylqhqpele080.exe C:\Users\user\Desktop\ltylqhqpele080.exe Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\ltylqhqpele080.exe" Jump to behavior
Source: explorer.exe, 00000006.00000000.699706643.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.671140171.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.687804076.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.703346932.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.844856375.0000000004820000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.846625096.00000000049F0000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.846625096.00000000049F0000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000014.00000000.839673947.0000000000548000.00000004.00000020.sdmp Binary or memory string: CProgman
Source: explorer.exe, 00000006.00000000.671362574.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.688098506.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.699905833.0000000001080000.00000002.00020000.sdmp, wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: wscript.exe, 00000009.00000002.922437107.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000014.00000000.840528983.0000000000AF0000.00000002.00020000.sdmp Binary or memory string: [Program Manager
Source: explorer.exe, 00000006.00000000.677167988.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.705703271.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.692668305.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: explorer.exe, 00000014.00000000.845391855.00000000048AD000.00000004.00000001.sdmp, explorer.exe, 00000014.00000003.825408061.00000000048AD000.00000004.00000001.sdmp Binary or memory string: Progmanp

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Users\user\Desktop\ltylqhqpele080.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ltylqhqpele080.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.ltylqhqpele080.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ltylqhqpele080.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.3a4e140.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ltylqhqpele080.exe.39f5920.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.921450922.0000000002380000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.922183985.0000000002C90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726932121.0000000001C70000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.695160915.000000000E475000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668458884.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.921041516.00000000022C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.720339473.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.726954760.0000000001CA0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.671190577.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.668091433.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.708796821.000000000E475000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 533021 Sample: ltylqhqpele080 Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 31 www.productzon.net 2->31 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 6 other signatures 2->39 11 ltylqhqpele080.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\ltylqhqpele080.exe.log, ASCII 11->29 dropped 49 Tries to detect virtualization through RDTSC time measurements 11->49 51 Injects a PE file into a foreign processes 11->51 15 ltylqhqpele080.exe 11->15         started        signatures6 process7 signatures8 53 Modifies the context of a thread in another process (thread injection) 15->53 55 Maps a DLL or memory area into another process 15->55 57 Sample uses process hollowing technique 15->57 59 Queues an APC in another process (thread injection) 15->59 18 explorer.exe 15->18 injected process9 process10 20 wscript.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Modifies the context of a thread in another process (thread injection) 20->43 45 Maps a DLL or memory area into another process 20->45 47 Tries to detect virtualization through RDTSC time measurements 20->47 23 cmd.exe 1 20->23         started        25 explorer.exe 2 152 20->25         started        process12 process13 27 conhost.exe 23->27         started       
No contacted IP infos

Contacted Domains

Name IP Active
www.productzon.net 217.116.0.191 true