Windows Analysis Report
Quoted Items.exe

Overview

General Information

Sample Name: Quoted Items.exe
Analysis ID: 626564
MD5: 901567a408d891fc0f67e15221d1b7e4
SHA1: dba16ac8c7523f640494843471a5f9d4fb211bef
SHA256: 70c9cf50b937cdf3015d4e7fdffbe1c8ab4820eaca74c7373f0760fa905a494a
Tags: exexloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.gulabmonga.com/gfge/"], "decoy": ["loopcoalition.com", "hd126.com", "elioguion.net", "defitrader.academy", "exactemi.com", "angeloacierno.com", "range4tis.com", "ilovekuduro.us", "mydealsstation.com", "jerichoprinting.com", "birdcafe605.com", "freemansrepublic.com", "driedplasma.com", "valuableconnect.com", "anthonyvid.xyz", "theydo.support", "devnetsecops.com", "cryptork.tech", "ufheur678.store", "lavenderspa586.com", "scandicinvestmentholding.com", "youenfangtex.com", "gratefulgrandmas.com", "ampersandtalent.net", "wippychick.com", "stamping.digital", "trixes.net", "popinticket.com", "ivyleaguereading.com", "killerinktnpasumo3.xyz", "greatyuwx.com", "royaltortoisecookieco.online", "quinten-and-sam.com", "mobile-sh.com", "reacjs.com", "hongbufang.net", "winemenuimports.com", "nashuatelegrpah.com", "nicorgaa.com", "outlanfd.com", "personalitideal.com", "mhhj666.com", "themethodcollective.com", "36536a.com", "bijit.xyz", "yoursinsoccer.net", "cryptoducks.club", "defuw.com", "kangley.net", "hacvm.com", "zhouyihong.top", "takut5.com", "kreditnekarticers.com", "koigo-wp.com", "52byhx.com", "phaghpanah.com", "apqlds.com", "karxsba2ix.xyz", "demasinfimo.quest", "unitytrstbnk.com", "panasonic-hcm.com", "27530amethystway.com", "idealftz.xyz", "conventionline.com"]}
Source: Quoted Items.exe Virustotal: Detection: 44% Perma Link
Source: Quoted Items.exe ReversingLabs: Detection: 48%
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: http://www.gratefulgrandmas.com/gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p Avira URL Cloud: Label: malware
Source: www.gulabmonga.com/gfge/ Avira URL Cloud: Label: malware
Source: Quoted Items.exe Joe Sandbox ML: detected
Source: 4.0.Quoted Items.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.Quoted Items.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.Quoted Items.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.Quoted Items.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: Quoted Items.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Quoted Items.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: AuthorizationRuleCollect.pdb source: Quoted Items.exe
Source: Binary string: wntdll.pdbUGP source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4x nop then pop edi 4_2_0040C3D8
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4x nop then pop edi 4_2_00415652
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop edi 16_2_00DBC3D8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 4x nop then pop edi 16_2_00DC5652

Networking

barindex
Source: C:\Windows\explorer.exe Domain query: www.zhouyihong.top
Source: C:\Windows\explorer.exe Network Connect: 180.76.158.103 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gratefulgrandmas.com
Source: C:\Windows\explorer.exe Domain query: www.royaltortoisecookieco.online
Source: C:\Windows\explorer.exe Network Connect: 172.217.168.19 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49806 -> 209.17.116.163:80
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.3:51518 -> 8.8.8.8:53
Source: Malware configuration extractor URLs: www.gulabmonga.com/gfge/
Source: Joe Sandbox View ASN Name: BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd
Source: Joe Sandbox View ASN Name: DEFENSE-NETUS DEFENSE-NETUS
Source: global traffic HTTP traffic detected: GET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1Host: www.royaltortoisecookieco.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1Host: www.gratefulgrandmas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: Joe Sandbox View IP Address: 209.17.116.163 209.17.116.163
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Quoted Items.exe, 00000000.00000002.290407934.00000000070A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515718507.00000000033FF000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515691938.00000000033F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.zhouyihong.top/gfge/?-ZEhG=0pO83p&atm=sEHQRf3BqyQO1Td3JS1wynh19DI9TXEUdP6kOjRf7qywa0JEaIf
Source: cmstp.exe, 00000010.00000002.517155525.0000000005762000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.gratitudeaddict.com/
Source: unknown DNS traffic detected: queries for: www.royaltortoisecookieco.online
Source: global traffic HTTP traffic detected: GET /gfge/?-ZEhG=0pO83p&atm=bkTODcW29ZLLFsJ1z0hFzGOlzA/dTRh9UhQLTYc1zt8rWVzKVHP86zdm8t9X8OCiEKYk HTTP/1.1Host: www.royaltortoisecookieco.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /gfge/?atm=Z4UEWxzHsbgHCWzNn0OH8uguYAGXLulTgu05WjhJOdFN0vK06536biQ9Uf++w6wnfUsW&-ZEhG=0pO83p HTTP/1.1Host: www.gratefulgrandmas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

barindex
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Quoted Items.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_02D64360 0_2_02D64360
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_02D640C0 0_2_02D640C0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_02D640B0 0_2_02D640B0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_07835AD8 0_2_07835AD8
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_078356A3 0_2_078356A3
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_078356B0 0_2_078356B0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_07830400 0_2_07830400
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_078303F0 0_2_078303F0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_07836B98 0_2_07836B98
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_07836BE0 0_2_07836BE0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_07836BF0 0_2_07836BF0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_07835AC8 0_2_07835AC8
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00401030 4_2_00401030
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041BA9D 4_2_0041BA9D
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041CB90 4_2_0041CB90
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00408C6B 4_2_00408C6B
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00408C70 4_2_00408C70
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00402D87 4_2_00402D87
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00402D90 4_2_00402D90
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00402FB0 4_2_00402FB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A2D07 16_2_051A2D07
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D0D20 16_2_050D0D20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A1D55 16_2_051A1D55
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102581 16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A25DD 16_2_051A25DD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050ED5E0 16_2_050ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E841F 16_2_050E841F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519D466 16_2_0519D466
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051ADFCE 16_2_051ADFCE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A1FF1 16_2_051A1FF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519D616 16_2_0519D616
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F6E30 16_2_050F6E30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05181EB6 16_2_05181EB6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A2EF7 16_2_051A2EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DF900 16_2_050DF900
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F4120 16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191002 16_2_05191002
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051AE824 16_2_051AE824
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA830 16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EB090 16_2_050EB090
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051020A0 16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A20A8 16_2_051A20A8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A28EC 16_2_051A28EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A2B28 16_2_051A2B28
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FAB40 16_2_050FAB40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0517CB4F 16_2_0517CB4F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FEB9A 16_2_050FEB9A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510138B 16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510EBB0 16_2_0510EBB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051903DA 16_2_051903DA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510ABD8 16_2_0510ABD8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519DBD2 16_2_0519DBD2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051823E3 16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0518FA2B 16_2_0518FA2B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB236 16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A22AE 16_2_051A22AE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DCCB90 16_2_00DCCB90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DB8C70 16_2_00DB8C70
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DB8C6B 16_2_00DB8C6B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DB2D90 16_2_00DB2D90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DB2D87 16_2_00DB2D87
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DB2FB0 16_2_00DB2FB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 050DB150 appears 145 times
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_004185D0 NtCreateFile, 4_2_004185D0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00418680 NtReadFile, 4_2_00418680
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00418700 NtClose, 4_2_00418700
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_004187B0 NtAllocateVirtualMemory, 4_2_004187B0
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_004186FA NtClose, 4_2_004186FA
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_004187AA NtAllocateVirtualMemory, 4_2_004187AA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119540 NtReadFile,LdrInitializeThunk, 16_2_05119540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051195D0 NtClose,LdrInitializeThunk, 16_2_051195D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119710 NtQueryInformationToken,LdrInitializeThunk, 16_2_05119710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119780 NtMapViewOfSection,LdrInitializeThunk, 16_2_05119780
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119FE0 NtCreateMutant,LdrInitializeThunk, 16_2_05119FE0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119650 NtQueryValueKey,LdrInitializeThunk, 16_2_05119650
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119660 NtAllocateVirtualMemory,LdrInitializeThunk, 16_2_05119660
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051196D0 NtCreateKey,LdrInitializeThunk, 16_2_051196D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051196E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_051196E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_05119910
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051199A0 NtCreateSection,LdrInitializeThunk, 16_2_051199A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119840 NtDelayExecution,LdrInitializeThunk, 16_2_05119840
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_05119860
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119A50 NtCreateFile,LdrInitializeThunk, 16_2_05119A50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0511AD30 NtSetContextThread, 16_2_0511AD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119520 NtWaitForSingleObject, 16_2_05119520
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119560 NtWriteFile, 16_2_05119560
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051195F0 NtQueryInformationFile, 16_2_051195F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0511A710 NtOpenProcessToken, 16_2_0511A710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119730 NtQueryVirtualMemory, 16_2_05119730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0511A770 NtOpenThread, 16_2_0511A770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119770 NtSetInformationFile, 16_2_05119770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119760 NtOpenProcess, 16_2_05119760
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051197A0 NtUnmapViewOfSection, 16_2_051197A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119610 NtEnumerateValueKey, 16_2_05119610
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119670 NtQueryInformationProcess, 16_2_05119670
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119950 NtQueueApcThread, 16_2_05119950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051199D0 NtCreateProcessEx, 16_2_051199D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119820 NtEnumerateKey, 16_2_05119820
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0511B040 NtSuspendThread, 16_2_0511B040
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051198A0 NtWriteVirtualMemory, 16_2_051198A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051198F0 NtReadVirtualMemory, 16_2_051198F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119B00 NtSetValueKey, 16_2_05119B00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0511A3B0 NtGetContextThread, 16_2_0511A3B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119A10 NtQuerySection, 16_2_05119A10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119A00 NtProtectVirtualMemory, 16_2_05119A00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119A20 NtResumeThread, 16_2_05119A20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05119A80 NtOpenDirectoryObject, 16_2_05119A80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC85D0 NtCreateFile, 16_2_00DC85D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC8680 NtReadFile, 16_2_00DC8680
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC87B0 NtAllocateVirtualMemory, 16_2_00DC87B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC8700 NtClose, 16_2_00DC8700
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC86FA NtClose, 16_2_00DC86FA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC87AA NtAllocateVirtualMemory, 16_2_00DC87AA
Source: Quoted Items.exe, 00000000.00000002.291013641.0000000007840000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Quoted Items.exe
Source: Quoted Items.exe, 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs Quoted Items.exe
Source: Quoted Items.exe, 00000000.00000002.285355220.0000000000C8C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000000.276006405.000000000069C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000002.352397627.000000000140F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000003.281729313.0000000000F3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000003.286087431.00000000010EB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quoted Items.exe
Source: Quoted Items.exe Binary or memory string: OriginalFilenameAuthorizationRuleCollect.exe6 vs Quoted Items.exe
Source: Quoted Items.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Quoted Items.exe Virustotal: Detection: 44%
Source: Quoted Items.exe ReversingLabs: Detection: 48%
Source: Quoted Items.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Quoted Items.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quoted Items.exe "C:\Users\user\Desktop\Quoted Items.exe"
Source: C:\Users\user\Desktop\Quoted Items.exe Process created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quoted Items.exe Process created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quoted Items.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@6/3
Source: C:\Users\user\Desktop\Quoted Items.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
Source: Quoted Items.exe, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: Quoted Items.exe, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Quoted Items.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Quoted Items.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Quoted Items.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: AuthorizationRuleCollect.pdb source: Quoted Items.exe
Source: Binary string: wntdll.pdbUGP source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Quoted Items.exe, 00000004.00000003.279757387.0000000000E29000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351539993.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000003.285678625.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, Quoted Items.exe, 00000004.00000002.351751722.000000000127F000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, cmstp.exe, 00000010.00000003.351171334.0000000004D7E000.00000004.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516510294.00000000051CF000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.516081168.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.352532340.0000000004F11000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: Quoted Items.exe, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.Quoted Items.exe.bf0000.0.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.3.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.2.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.1.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.5.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.0.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 4.0.Quoted Items.exe.600000.7.unpack, oK/KZ.cs .Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_02D693BD pushad ; retf 0_2_02D693BE
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_02D690D0 pushad ; retf 0_2_02D690D1
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_02D69BED pushad ; retf 0_2_02D69BEE
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_02D6987F pushad ; retf 0_2_02D69880
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 0_2_07837017 pushfd ; retf 0_2_0783701C
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041B87C push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041B812 push eax; ret 4_2_0041B818
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041B81B push eax; ret 4_2_0041B882
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0040C8D2 push esp; iretd 4_2_0040C8DA
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041C905 push dword ptr [DE3B1691h]; ret 4_2_0041C926
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041612A push 78D33A13h; iretd 4_2_004161E2
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_004161B3 push 78D33A13h; iretd 4_2_004161E2
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0040C2F8 push ds; retf 4_2_0040C328
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0040D417 push 00000060h; iretd 4_2_0040D41D
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041CDA5 push 073A5053h; ret 4_2_0041CDC5
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00414E92 push esp; ret 4_2_00414EA1
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00414EA2 push ds; retf 4_2_00414EA3
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_0041B7C5 push eax; ret 4_2_0041B818
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0512D0D1 push ecx; ret 16_2_0512D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DBC8D2 push esp; iretd 16_2_00DBC8DA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DCB87C push eax; ret 16_2_00DCB882
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DCB81B push eax; ret 16_2_00DCB882
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DCB812 push eax; ret 16_2_00DCB818
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC61B3 push 78D33A13h; iretd 16_2_00DC61E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DCC905 push dword ptr [DE3B1691h]; ret 16_2_00DCC926
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC612A push 78D33A13h; iretd 16_2_00DC61E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DBC2F8 push ds; retf 16_2_00DBC328
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DBD417 push 00000060h; iretd 16_2_00DBD41D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DCCDA5 push 073A5053h; ret 16_2_00DCCDC5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC4E92 push esp; ret 16_2_00DC4EA1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_00DC4EA2 push ds; retf 16_2_00DC4EA3
Source: initial sample Static PE information: section name: .text entropy: 7.72747835774

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\cmstp.exe Process created: /c del "C:\Users\user\Desktop\Quoted Items.exe"
Source: C:\Windows\SysWOW64\cmstp.exe Process created: /c del "C:\Users\user\Desktop\Quoted Items.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: 0.2.Quoted Items.exe.2fc435c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.2fd9a34.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.2fcd7e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Quoted Items.exe PID: 6360, type: MEMORYSTR
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Source: C:\Users\user\Desktop\Quoted Items.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quoted Items.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000DB8604 second address: 0000000000DB860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000DB898E second address: 0000000000DB8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Quoted Items.exe TID: 6364 Thread sleep time: -45733s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe TID: 6388 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 1508 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_004088C0 rdtsc 4_2_004088C0
Source: C:\Users\user\Desktop\Quoted Items.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe API coverage: 7.1 %
Source: C:\Users\user\Desktop\Quoted Items.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Thread delayed: delay time: 45733 Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000005.00000000.313752460.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.374832571.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.326795493.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000005.00000000.294924732.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000005.00000000.306967139.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: cmstp.exe, 00000010.00000002.515589194.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.515741190.0000000003409000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.314689990.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000005.00000000.313752460.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.314862974.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Source: Quoted Items.exe, 00000000.00000002.286733005.0000000002F61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_004088C0 rdtsc 4_2_004088C0
Source: C:\Users\user\Desktop\Quoted Items.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519E539 mov eax, dword ptr fs:[00000030h] 16_2_0519E539
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0515A537 mov eax, dword ptr fs:[00000030h] 16_2_0515A537
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h] 16_2_05104D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h] 16_2_05104D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104D3B mov eax, dword ptr fs:[00000030h] 16_2_05104D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A8D34 mov eax, dword ptr fs:[00000030h] 16_2_051A8D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h] 16_2_0510F527
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h] 16_2_0510F527
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510F527 mov eax, dword ptr fs:[00000030h] 16_2_0510F527
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E3D34 mov eax, dword ptr fs:[00000030h] 16_2_050E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DAD30 mov eax, dword ptr fs:[00000030h] 16_2_050DAD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05113D43 mov eax, dword ptr fs:[00000030h] 16_2_05113D43
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05153540 mov eax, dword ptr fs:[00000030h] 16_2_05153540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05183D40 mov eax, dword ptr fs:[00000030h] 16_2_05183D40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F7D50 mov eax, dword ptr fs:[00000030h] 16_2_050F7D50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FC577 mov eax, dword ptr fs:[00000030h] 16_2_050FC577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FC577 mov eax, dword ptr fs:[00000030h] 16_2_050FC577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h] 16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h] 16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h] 16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h] 16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D2D8A mov eax, dword ptr fs:[00000030h] 16_2_050D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510FD9B mov eax, dword ptr fs:[00000030h] 16_2_0510FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510FD9B mov eax, dword ptr fs:[00000030h] 16_2_0510FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h] 16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h] 16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h] 16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102581 mov eax, dword ptr fs:[00000030h] 16_2_05102581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h] 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h] 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h] 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h] 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h] 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h] 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192D82 mov eax, dword ptr fs:[00000030h] 16_2_05192D82
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h] 16_2_05101DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h] 16_2_05101DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05101DB5 mov eax, dword ptr fs:[00000030h] 16_2_05101DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051035A1 mov eax, dword ptr fs:[00000030h] 16_2_051035A1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A05AC mov eax, dword ptr fs:[00000030h] 16_2_051A05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A05AC mov eax, dword ptr fs:[00000030h] 16_2_051A05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h] 16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h] 16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h] 16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156DC9 mov ecx, dword ptr fs:[00000030h] 16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h] 16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156DC9 mov eax, dword ptr fs:[00000030h] 16_2_05156DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05188DF1 mov eax, dword ptr fs:[00000030h] 16_2_05188DF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050ED5E0 mov eax, dword ptr fs:[00000030h] 16_2_050ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050ED5E0 mov eax, dword ptr fs:[00000030h] 16_2_050ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519FDE2 mov eax, dword ptr fs:[00000030h] 16_2_0519FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A740D mov eax, dword ptr fs:[00000030h] 16_2_051A740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A740D mov eax, dword ptr fs:[00000030h] 16_2_051A740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A740D mov eax, dword ptr fs:[00000030h] 16_2_051A740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191C06 mov eax, dword ptr fs:[00000030h] 16_2_05191C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h] 16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h] 16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h] 16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156C0A mov eax, dword ptr fs:[00000030h] 16_2_05156C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h] 16_2_05103C3E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h] 16_2_05103C3E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05103C3E mov eax, dword ptr fs:[00000030h] 16_2_05103C3E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510BC2C mov eax, dword ptr fs:[00000030h] 16_2_0510BC2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516C450 mov eax, dword ptr fs:[00000030h] 16_2_0516C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516C450 mov eax, dword ptr fs:[00000030h] 16_2_0516C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510A44B mov eax, dword ptr fs:[00000030h] 16_2_0510A44B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F746D mov eax, dword ptr fs:[00000030h] 16_2_050F746D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510AC7B mov eax, dword ptr fs:[00000030h] 16_2_0510AC7B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB477 mov eax, dword ptr fs:[00000030h] 16_2_050FB477
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194496 mov eax, dword ptr fs:[00000030h] 16_2_05194496
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E849B mov eax, dword ptr fs:[00000030h] 16_2_050E849B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A8CD6 mov eax, dword ptr fs:[00000030h] 16_2_051A8CD6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051914FB mov eax, dword ptr fs:[00000030h] 16_2_051914FB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h] 16_2_05156CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h] 16_2_05156CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05156CF0 mov eax, dword ptr fs:[00000030h] 16_2_05156CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104710 mov eax, dword ptr fs:[00000030h] 16_2_05104710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516FF10 mov eax, dword ptr fs:[00000030h] 16_2_0516FF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516FF10 mov eax, dword ptr fs:[00000030h] 16_2_0516FF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A070D mov eax, dword ptr fs:[00000030h] 16_2_051A070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A070D mov eax, dword ptr fs:[00000030h] 16_2_051A070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FF716 mov eax, dword ptr fs:[00000030h] 16_2_050FF716
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510A70E mov eax, dword ptr fs:[00000030h] 16_2_0510A70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510A70E mov eax, dword ptr fs:[00000030h] 16_2_0510A70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510E730 mov eax, dword ptr fs:[00000030h] 16_2_0510E730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D4F2E mov eax, dword ptr fs:[00000030h] 16_2_050D4F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D4F2E mov eax, dword ptr fs:[00000030h] 16_2_050D4F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05103F33 mov eax, dword ptr fs:[00000030h] 16_2_05103F33
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB73D mov eax, dword ptr fs:[00000030h] 16_2_050FB73D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB73D mov eax, dword ptr fs:[00000030h] 16_2_050FB73D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191751 mov eax, dword ptr fs:[00000030h] 16_2_05191751
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EEF40 mov eax, dword ptr fs:[00000030h] 16_2_050EEF40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EFF60 mov eax, dword ptr fs:[00000030h] 16_2_050EFF60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A8F6A mov eax, dword ptr fs:[00000030h] 16_2_051A8F6A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05157794 mov eax, dword ptr fs:[00000030h] 16_2_05157794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05157794 mov eax, dword ptr fs:[00000030h] 16_2_05157794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05157794 mov eax, dword ptr fs:[00000030h] 16_2_05157794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E8794 mov eax, dword ptr fs:[00000030h] 16_2_050E8794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051137F5 mov eax, dword ptr fs:[00000030h] 16_2_051137F5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510A61C mov eax, dword ptr fs:[00000030h] 16_2_0510A61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510A61C mov eax, dword ptr fs:[00000030h] 16_2_0510A61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h] 16_2_050DC600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h] 16_2_050DC600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DC600 mov eax, dword ptr fs:[00000030h] 16_2_050DC600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov ecx, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F5600 mov eax, dword ptr fs:[00000030h] 16_2_050F5600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05108E00 mov eax, dword ptr fs:[00000030h] 16_2_05108E00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05191608 mov eax, dword ptr fs:[00000030h] 16_2_05191608
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0518FE3F mov eax, dword ptr fs:[00000030h] 16_2_0518FE3F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DE620 mov eax, dword ptr fs:[00000030h] 16_2_050DE620
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h] 16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h] 16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h] 16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h] 16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h] 16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E7E41 mov eax, dword ptr fs:[00000030h] 16_2_050E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519AE44 mov eax, dword ptr fs:[00000030h] 16_2_0519AE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519AE44 mov eax, dword ptr fs:[00000030h] 16_2_0519AE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E766D mov eax, dword ptr fs:[00000030h] 16_2_050E766D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h] 16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h] 16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h] 16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h] 16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FAE73 mov eax, dword ptr fs:[00000030h] 16_2_050FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516FE87 mov eax, dword ptr fs:[00000030h] 16_2_0516FE87
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051546A7 mov eax, dword ptr fs:[00000030h] 16_2_051546A7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h] 16_2_051A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h] 16_2_051A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A0EA5 mov eax, dword ptr fs:[00000030h] 16_2_051A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A8ED6 mov eax, dword ptr fs:[00000030h] 16_2_051A8ED6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05118EC7 mov eax, dword ptr fs:[00000030h] 16_2_05118EC7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0518FEC0 mov eax, dword ptr fs:[00000030h] 16_2_0518FEC0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051036CC mov eax, dword ptr fs:[00000030h] 16_2_051036CC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E76E2 mov eax, dword ptr fs:[00000030h] 16_2_050E76E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051016E0 mov ecx, dword ptr fs:[00000030h] 16_2_051016E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h] 16_2_050D9100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h] 16_2_050D9100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9100 mov eax, dword ptr fs:[00000030h] 16_2_050D9100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510513A mov eax, dword ptr fs:[00000030h] 16_2_0510513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510513A mov eax, dword ptr fs:[00000030h] 16_2_0510513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h] 16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h] 16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h] 16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F4120 mov eax, dword ptr fs:[00000030h] 16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F4120 mov ecx, dword ptr fs:[00000030h] 16_2_050F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB944 mov eax, dword ptr fs:[00000030h] 16_2_050FB944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB944 mov eax, dword ptr fs:[00000030h] 16_2_050FB944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DC962 mov eax, dword ptr fs:[00000030h] 16_2_050DC962
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DB171 mov eax, dword ptr fs:[00000030h] 16_2_050DB171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DB171 mov eax, dword ptr fs:[00000030h] 16_2_050DB171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102990 mov eax, dword ptr fs:[00000030h] 16_2_05102990
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104190 mov eax, dword ptr fs:[00000030h] 16_2_05104190
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FC182 mov eax, dword ptr fs:[00000030h] 16_2_050FC182
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510A185 mov eax, dword ptr fs:[00000030h] 16_2_0510A185
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h] 16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h] 16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h] 16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051551BE mov eax, dword ptr fs:[00000030h] 16_2_051551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051061A0 mov eax, dword ptr fs:[00000030h] 16_2_051061A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051061A0 mov eax, dword ptr fs:[00000030h] 16_2_051061A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov ecx, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F99BF mov eax, dword ptr fs:[00000030h] 16_2_050F99BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051569A6 mov eax, dword ptr fs:[00000030h] 16_2_051569A6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h] 16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h] 16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h] 16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051949A4 mov eax, dword ptr fs:[00000030h] 16_2_051949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h] 16_2_050DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h] 16_2_050DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DB1E1 mov eax, dword ptr fs:[00000030h] 16_2_050DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051641E8 mov eax, dword ptr fs:[00000030h] 16_2_051641E8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05157016 mov eax, dword ptr fs:[00000030h] 16_2_05157016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05157016 mov eax, dword ptr fs:[00000030h] 16_2_05157016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05157016 mov eax, dword ptr fs:[00000030h] 16_2_05157016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A4015 mov eax, dword ptr fs:[00000030h] 16_2_051A4015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A4015 mov eax, dword ptr fs:[00000030h] 16_2_051A4015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h] 16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h] 16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h] 16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EB02A mov eax, dword ptr fs:[00000030h] 16_2_050EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h] 16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h] 16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h] 16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h] 16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510002D mov eax, dword ptr fs:[00000030h] 16_2_0510002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h] 16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h] 16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h] 16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA830 mov eax, dword ptr fs:[00000030h] 16_2_050FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F0050 mov eax, dword ptr fs:[00000030h] 16_2_050F0050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F0050 mov eax, dword ptr fs:[00000030h] 16_2_050F0050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05192073 mov eax, dword ptr fs:[00000030h] 16_2_05192073
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A1074 mov eax, dword ptr fs:[00000030h] 16_2_051A1074
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9080 mov eax, dword ptr fs:[00000030h] 16_2_050D9080
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05153884 mov eax, dword ptr fs:[00000030h] 16_2_05153884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05153884 mov eax, dword ptr fs:[00000030h] 16_2_05153884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510F0BF mov ecx, dword ptr fs:[00000030h] 16_2_0510F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510F0BF mov eax, dword ptr fs:[00000030h] 16_2_0510F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510F0BF mov eax, dword ptr fs:[00000030h] 16_2_0510F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h] 16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h] 16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h] 16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h] 16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h] 16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051020A0 mov eax, dword ptr fs:[00000030h] 16_2_051020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051190AF mov eax, dword ptr fs:[00000030h] 16_2_051190AF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516B8D0 mov ecx, dword ptr fs:[00000030h] 16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0516B8D0 mov eax, dword ptr fs:[00000030h] 16_2_0516B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D58EC mov eax, dword ptr fs:[00000030h] 16_2_050D58EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB8E4 mov eax, dword ptr fs:[00000030h] 16_2_050FB8E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB8E4 mov eax, dword ptr fs:[00000030h] 16_2_050FB8E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h] 16_2_050D40E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h] 16_2_050D40E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D40E1 mov eax, dword ptr fs:[00000030h] 16_2_050D40E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519131B mov eax, dword ptr fs:[00000030h] 16_2_0519131B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA309 mov eax, dword ptr fs:[00000030h] 16_2_050FA309
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A8B58 mov eax, dword ptr fs:[00000030h] 16_2_051A8B58
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DDB40 mov eax, dword ptr fs:[00000030h] 16_2_050DDB40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DF358 mov eax, dword ptr fs:[00000030h] 16_2_050DF358
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05103B7A mov eax, dword ptr fs:[00000030h] 16_2_05103B7A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05103B7A mov eax, dword ptr fs:[00000030h] 16_2_05103B7A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DDB60 mov ecx, dword ptr fs:[00000030h] 16_2_050DDB60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510B390 mov eax, dword ptr fs:[00000030h] 16_2_0510B390
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E1B8F mov eax, dword ptr fs:[00000030h] 16_2_050E1B8F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E1B8F mov eax, dword ptr fs:[00000030h] 16_2_050E1B8F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102397 mov eax, dword ptr fs:[00000030h] 16_2_05102397
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519138A mov eax, dword ptr fs:[00000030h] 16_2_0519138A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FEB9A mov eax, dword ptr fs:[00000030h] 16_2_050FEB9A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FEB9A mov eax, dword ptr fs:[00000030h] 16_2_050FEB9A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0518D380 mov ecx, dword ptr fs:[00000030h] 16_2_0518D380
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510138B mov eax, dword ptr fs:[00000030h] 16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510138B mov eax, dword ptr fs:[00000030h] 16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510138B mov eax, dword ptr fs:[00000030h] 16_2_0510138B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h] 16_2_05104BAD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h] 16_2_05104BAD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05104BAD mov eax, dword ptr fs:[00000030h] 16_2_05104BAD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A5BA5 mov eax, dword ptr fs:[00000030h] 16_2_051A5BA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051053C5 mov eax, dword ptr fs:[00000030h] 16_2_051053C5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051553CA mov eax, dword ptr fs:[00000030h] 16_2_051553CA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051553CA mov eax, dword ptr fs:[00000030h] 16_2_051553CA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FDBE9 mov eax, dword ptr fs:[00000030h] 16_2_050FDBE9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h] 16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h] 16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h] 16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h] 16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h] 16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051003E2 mov eax, dword ptr fs:[00000030h] 16_2_051003E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051823E3 mov ecx, dword ptr fs:[00000030h] 16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051823E3 mov ecx, dword ptr fs:[00000030h] 16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051823E3 mov eax, dword ptr fs:[00000030h] 16_2_051823E3
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050E8A0A mov eax, dword ptr fs:[00000030h] 16_2_050E8A0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519AA16 mov eax, dword ptr fs:[00000030h] 16_2_0519AA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519AA16 mov eax, dword ptr fs:[00000030h] 16_2_0519AA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050F3A1C mov eax, dword ptr fs:[00000030h] 16_2_050F3A1C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DAA16 mov eax, dword ptr fs:[00000030h] 16_2_050DAA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050DAA16 mov eax, dword ptr fs:[00000030h] 16_2_050DAA16
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h] 16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D5210 mov ecx, dword ptr fs:[00000030h] 16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h] 16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D5210 mov eax, dword ptr fs:[00000030h] 16_2_050D5210
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FA229 mov eax, dword ptr fs:[00000030h] 16_2_050FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h] 16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h] 16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h] 16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h] 16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h] 16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050FB236 mov eax, dword ptr fs:[00000030h] 16_2_050FB236
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05114A2C mov eax, dword ptr fs:[00000030h] 16_2_05114A2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05114A2C mov eax, dword ptr fs:[00000030h] 16_2_05114A2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05164257 mov eax, dword ptr fs:[00000030h] 16_2_05164257
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0519EA55 mov eax, dword ptr fs:[00000030h] 16_2_0519EA55
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h] 16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h] 16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h] 16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D9240 mov eax, dword ptr fs:[00000030h] 16_2_050D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0511927A mov eax, dword ptr fs:[00000030h] 16_2_0511927A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0518B260 mov eax, dword ptr fs:[00000030h] 16_2_0518B260
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0518B260 mov eax, dword ptr fs:[00000030h] 16_2_0518B260
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_051A8A62 mov eax, dword ptr fs:[00000030h] 16_2_051A8A62
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510D294 mov eax, dword ptr fs:[00000030h] 16_2_0510D294
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510D294 mov eax, dword ptr fs:[00000030h] 16_2_0510D294
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_0510FAB0 mov eax, dword ptr fs:[00000030h] 16_2_0510FAB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h] 16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h] 16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h] 16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h] 16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050D52A5 mov eax, dword ptr fs:[00000030h] 16_2_050D52A5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EAAB0 mov eax, dword ptr fs:[00000030h] 16_2_050EAAB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_050EAAB0 mov eax, dword ptr fs:[00000030h] 16_2_050EAAB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102ACB mov eax, dword ptr fs:[00000030h] 16_2_05102ACB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05102AE4 mov eax, dword ptr fs:[00000030h] 16_2_05102AE4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 16_2_05194AEF mov eax, dword ptr fs:[00000030h] 16_2_05194AEF
Source: C:\Users\user\Desktop\Quoted Items.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Code function: 4_2_00409B30 LdrLoadDll, 4_2_00409B30
Source: C:\Users\user\Desktop\Quoted Items.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe Domain query: www.zhouyihong.top
Source: C:\Windows\explorer.exe Network Connect: 180.76.158.103 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gratefulgrandmas.com
Source: C:\Windows\explorer.exe Domain query: www.royaltortoisecookieco.online
Source: C:\Windows\explorer.exe Network Connect: 172.217.168.19 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.17.116.163 80 Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 1230000 Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Memory written: C:\Users\user\Desktop\Quoted Items.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Process created: C:\Users\user\Desktop\Quoted Items.exe C:\Users\user\Desktop\Quoted Items.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Quoted Items.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.305101849.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.326753405.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.374845928.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.331301300.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.298445509.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.326871038.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.374983831.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.288291734.0000000000708000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.288816660.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.375172298.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.327172842.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Users\user\Desktop\Quoted Items.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Quoted Items.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.41791d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Quoted Items.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.Quoted Items.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Quoted Items.exe.402a8a0.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000002.515431699.0000000003370000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.350947066.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514085622.0000000000DB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.316596581.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351326281.0000000000C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.278783725.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.338397807.000000000D158000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.277402200.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.287722353.000000000402A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.351362471.0000000000C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515850944.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs