{"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}
{"Payload URL": "https://drive.google.com/uc?export=download&id=1vqWz"}
Source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1vqWz"} |
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp | Malware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]} |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: | Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe |
Source: | Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp |
Source: | Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\Temp\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\ |
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: explorer.exe, 0000001C.00000000.747255053.0000000006870000.00000004.00000001.sdmp, explorer.exe, 0000001C.00000002.767904819.0000000006870000.00000004.00000001.sdmp | String found in binary or memory: http://www.autoitscript.com/autoit3/J |
Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/ |
Source: Semiha.exe, 00000019.00000003.741011877.0000000000981000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740899622.0000000000942000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp | String found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq |
Source: Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp | String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/ |
Source: Semiha.exe, 00000019.00000003.742044395.0000000000980000.00000004.00000001.sdmp | String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/v1hb64q8 |
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp | String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/g |
Source: Semiha.exe, 00000019.00000003.741035770.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742494256.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.740971825.000000000093F000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779249493.0000000000940000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742345696.000000000093B000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742566992.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742408013.000000000093E000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742063444.000000000093B000.00000004.00000001.sdmp | String found in binary or memory: https://doc-10-80-docs.googleusercontent.com/z |
Source: Semiha.exe, 00000019.00000003.740959193.000000000093C000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0Ew |
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl |
Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKlNE-%& |
Source: Semiha.exe, 00000019.00000003.742532708.0000000000916000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779196860.0000000000917000.00000004.00000020.sdmp, Semiha.exe, 00000019.00000003.742377343.0000000000916000.00000004.00000001.sdmp | String found in binary or memory: https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKljD |
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000019.00000002.782433249.000000001E460000.00000040.00020000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC5B88 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029EE085 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029EA432 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7E6E30 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7FEBB0 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E881002 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7DB090 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C0D20 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7E4120 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CF900 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E891D55 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_0056E085 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_0056A432 |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029EE085 NtResumeThread, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8096E0 NtFreeVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809660 NtAllocateVirtualMemory,LdrInitializeThunk, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809780 NtMapViewOfSection,LdrInitializeThunk, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809FE0 NtCreateMutant,LdrInitializeThunk, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809860 NtQuerySystemInformation,LdrInitializeThunk, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8099A0 NtCreateSection,LdrInitializeThunk, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809A80 NtOpenDirectoryObject, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8096D0 NtCreateKey, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809A00 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809610 NtEnumerateValueKey, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809A10 NtQuerySection, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809A20 NtResumeThread, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809650 NtQueryValueKey, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809A50 NtCreateFile, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809670 NtQueryInformationProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8097A0 NtUnmapViewOfSection, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E80A3B0 NtGetContextThread, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809B00 NtSetValueKey, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E80A710 NtOpenProcessToken, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809710 NtQueryInformationToken, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809730 NtQueryVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809760 NtOpenProcess, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809770 NtSetInformationFile, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E80A770 NtOpenThread, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8098A0 NtWriteVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8098F0 NtReadVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809820 NtEnumerateKey, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809840 NtDelayExecution, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E80B040 NtSuspendThread, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8099D0 NtCreateProcessEx, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8095D0 NtClose, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8095F0 NtQueryInformationFile, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809520 NtWaitForSingleObject, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E80AD30 NtSetContextThread, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809540 NtReadFile, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809950 NtQueueApcThread, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E809560 NtWriteFile, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00563133 NtProtectVirtualMemory, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_0056E7CC NtProtectVirtualMemory, |
Source: Original Doc Ref SN02853801324189923.exe | Binary or memory string: OriginalFilename vs Original Doc Ref SN02853801324189923.exe |
Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000002.485465711.0000000000FCA000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe |
Source: Original Doc Ref SN02853801324189923.exe, 00000000.00000000.233147704.0000000000FCA000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe |
Source: Original Doc Ref SN02853801324189923.exe | Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Original Doc Ref SN02853801324189923.exe |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: Semiha.exe.0.dr | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: unknown | Process created: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe "C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe" |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe |
Source: unknown | Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC1DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC5849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC4E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA, |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Original Doc Ref SN02853801324189923.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: | Binary string: wextract.pdb source: Original Doc Ref SN02853801324189923.exe |
Source: | Binary string: wntdll.pdbUGP source: Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: Semiha.exe, Semiha.exe, 00000019.00000002.782575822.000000001E7A0000.00000040.00000001.sdmp, Semiha.exe, 00000019.00000002.782754601.000000001E8BF000.00000040.00000001.sdmp |
Source: | Binary string: wextract.pdbPp source: Original Doc Ref SN02853801324189923.exe |
Source: Yara match | File source: 00000019.00000000.481436441.0000000000560000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.482011607.00000000029E0000.00000040.00000001.sdmp, type: MEMORY |
Source: Yara match | File source: 00000019.00000002.779078252.0000000000560000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC78A1 push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_00404C39 pushfd ; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_00406D5F push ebp; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_00406B0D push ss; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E4E50 push B1CC20AFh; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E5276 push esp; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E4316 push ds; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E1328 push esp; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E1321 push eax; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E0005 push cs; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E0078 push cs; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E3DDD push ss; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E3DD5 push ss; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E5560 push esp; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E81D0D1 push ecx; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00560078 push cs; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00560005 push cs; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00565560 push esp; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00563DD5 push ss; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00563DDD push ss; retf |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00564E50 push B1CC20AFh; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00565276 push esp; ret |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00564316 push ds; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00561321 push eax; iretd |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_00561328 push esp; ret |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC1910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | File opened: C:\Program Files\qga\qga.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | File opened: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | File opened: C:\Program Files\qga\qga.exe |
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1VQWZ_R4BQMLYR0EWMVVJ53NSYRGJMPKL |
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp | Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE |
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp | Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC21E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\Temp\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\Temp\IXP000.TMP\Semiha.exe |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\Local\ |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | File opened: C:\Users\user~1\AppData\ |
Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD00dRom0 |
Source: explorer.exe, 0000001C.00000002.771094420.0000000008A32000.00000004.00000001.sdmp | Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000 |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Remote Desktop Virtualization Service |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Volume Shadow Copy Requestor |
Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW- |
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Time Synchronization Service |
Source: Semiha.exe, 00000019.00000003.742387045.000000000091D000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779208842.000000000091D000.00000004.00000020.sdmp | Binary or memory string: Hyper-V RAW |
Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmp | Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 |
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp | Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Heartbeat Service |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Shutdown Service |
Source: Semiha.exe, 00000002.00000002.482151039.0000000002B20000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll |
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} |
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: vmicshutdown |
Source: explorer.exe, 0000001C.00000002.766113713.00000000048E0000.00000004.00000001.sdmp | Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V PowerShell Direct Service |
Source: explorer.exe, 0000001C.00000000.752050950.0000000008ACF000.00000004.00000001.sdmp | Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc |
Source: explorer.exe, 0000001C.00000002.771382701.0000000008B88000.00000004.00000001.sdmp | Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C |
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: vmicvss |
Source: Semiha.exe, 00000019.00000002.779387050.00000000021D0000.00000004.00000001.sdmp | Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1vqWz_R4BQMLYr0EwMvVJ53NsyRGjMpKl |
Source: explorer.exe, 0000001C.00000002.768967562.00000000069DA000.00000004.00000001.sdmp | Binary or memory string: VMware SATA CD002 |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Data Exchange Service |
Source: Semiha.exe, 00000002.00000002.482205968.0000000002C3A000.00000004.00000001.sdmp, Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: Hyper-V Guest Service Interface |
Source: Semiha.exe, 00000019.00000002.779414736.000000000229A000.00000004.00000001.sdmp | Binary or memory string: vmicheartbeat |
Source: C:\Users\user\Desktop\Original Doc Ref SN02853801324189923.exe | Code function: 0_2_00FC2DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029EBA69 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029EC093 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 2_2_029E9CA7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E85FE87 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7D766D mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E8446A7 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E890EA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C9240 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E87FEC0 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CE620 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E898ED6 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CC600 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7F16E0 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7D76E2 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7F36CC mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E87FE3F mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7C52A5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E87B260 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7FD294 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E80927A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E88138A mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CDB60 mov ecx, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CF358 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E895BA5 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | Code function: 25_2_1E7CDB40 mov eax, dword ptr fs:[00000030h] |
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\Semiha.exe | < |